[SOLVED] Upgrade to 17.1 breaks OpenVPN Peer CRL check

Started by matthias.appel, February 01, 2017, 09:43:06 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 01, 2017, 09:43:06 AM Last Edit: February 09, 2017, 07:55:17 PM by franco
Hey guys,

first of all a big Thank you for the great work making the upgrade to 17.1 so smooth! Everything except for one little detail worked out at our end.

We use OpenVPN for remote dial in with TLS authentication along with user authentication against our AD.
To issue the client certificates, we use a built-in CA and do also maintain the certificate revocation list with this built-in tools.
After the upgrade to 17.1 the Peer CRL check performed by the OpenVPN server upon connection of a client fails, since it cannot find the CRL file at the specified location in the file system. This leads to rejection of all client certificates (also the valid ones). My current work around is to disable the Peer CRL check ind order to make VPN work again. But this is only a temporary solution. Could you please have a look into this?

Best Regards,

Matthias
February 06, 2017, 08:42:17 AM #1
Hi Matthias,

I'm going to look into it this week. I suspect the custom PHP CRL patches that never got picked up by upstream do not work correctly on 7.0.

Last time I checked, there is no authority for these patches, so we need to debug this ourselves. :/


Cheers,
Franco
February 06, 2017, 05:56:16 PM #2
I found it... https://github.com/opnsense/ports/commit/0eb5e274673

I'm trading test packages for Crypto/architecture combos (OpenSSL/amd64) -- need both to build the proper package for your installation.


Cheers,
Franci
February 09, 2017, 06:24:32 PM #3
Hi Franco,

Thank you very much for your support!

I just updated to 17.1.1 and the OpenVPN Peer CRL check works again.

Please keep up this excellent work :)

Cheers,
Matthias
February 09, 2017, 07:55:44 PM #4
Hi Matthias,

Thanks for the feedback! :)


Cheers,
Franco
Print
Go Up Pages1
User actions