Skip to content

Commit

Permalink
man: correct the description of --capath and --crl-verify regarding CRLs
Browse files Browse the repository at this point in the history 
The man page states that when using --capath, the user is required to
provide CRLs for CAs. This is not true and providing CRLs is optional -
both in case of --capath as well as --crl-verify options. When relevant
CRL is not found OpenVPN simply logs the warning in the logs while
allowing the connection, e.g.:

VERIFY WARNING: depth=0, unable to get certificate CRL

This patch clarifies the behavior.

Signed-off-by: Michal Soltys <[email protected]>
Acked-by: Arne Schwabe <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg18343.html
Signed-off-by: Gert Doering <[email protected]>
  • Loading branch information
@msoltyspl @cron2
msoltyspl authored and cron2 committed Jun 23, 2019
1 parent 7473f32 commit b3cfc43
Showing 1 changed file with 11 additions and 5 deletions.
16 changes: 11 additions & 5 deletions doc/openvpn.8
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4598,11 +4598,8 @@ they are distributed with OpenVPN, they are totally insecure.
Directory containing trusted certificates (CAs and CRLs).
Not available with mbed TLS.

When using the
.B \-\-capath
option, you are required to supply valid CRLs for the CAs too. CAs in the
capath directory are expected to be named <hash>.<n>. CRLs are expected to
be named <hash>.r<n>. See the
CAs in the capath directory are expected to be named <hash>.<n>. CRLs are
expected to be named <hash>.r<n>. See the
.B \-CApath
option of
.B openssl verify
Expand All @@ -4613,6 +4610,11 @@ option of
and
.B openssl crl
for more information.

Similarly to the
.B \-\-crl\-verify
option CRLs are not mandatory \- OpenVPN will log the usual warning in the logs
if the relevant CRL is missing, but the connection will be allowed.
.\"*********************************************************
.TP
.B \-\-dh file
Expand Down Expand Up @@ -5685,6 +5687,10 @@ overall integrity of the PKI.
The only time when it would be necessary to rebuild the entire PKI from scratch would be
if the root certificate key itself was compromised.

The option is not mandatory \- if the relevant CRL is missing, OpenVPN will log
a warning in the logs \- e.g. "\fIVERIFY WARNING: depth=0, unable to get
certificate CRL\fR" \- but the connection will be allowed.

If the optional
.B dir
flag is specified, enable a different mode where
Expand Down

0 comments on commit b3cfc43

Please sign in to comment.