Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expired CRL file prevents all users from connecting to OpenVPN Server #1231

Open
twocs opened this issue Sep 24, 2024 · 4 comments
Open

Expired CRL file prevents all users from connecting to OpenVPN Server #1231

twocs opened this issue Sep 24, 2024 · 4 comments

Comments

@twocs
Copy link

twocs commented Sep 24, 2024

The easy-rsa/easyrsa3/vars.example file describes EASYRSA_CRL_DAYS as a soft problem. But in reality it appears to prevent anyone from connecting to the server. I don't expect it's a fun Easter egg to discover when our VPN servers fail just because we trusted the defaults and nobody has left the company in 180 days.

# How many days until the next CRL publish date?  Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.

#set_var EASYRSA_CRL_DAYS       180

In my opinion, the code comment that "the CRL can still be parsed", does not match the actuality that everyone's getting a CRL expired error, precluding accessing the server. I believe that the code comment was written prior to OpenVPN 2.4 when the CRL method became "processed much more rigidly than before" https://community.openvpn.net/openvpn/wiki/CertificateRevocationListExpired.

Other people describe the actual behaviour of this environment variable as:

make client fail to connect if the date past
pivpn/pivpn#567 (comment)

all VPN connections went down
https://www.reddit.com/r/OpenVPN/comments/11951c8/is_this_a_maintenance_item_easyrsa_gencrl/

my clients cannot connect... Debian [said] i should regenerate the CRL because it expired
https://forums.openvpn.net/viewtopic.php?t=23166#p67004

no further connections are allowed, even if other certs/keys themselves are still valid
https://forums.openvpn.net/viewtopic.php?t=27090#p81328

See easyrsa help gen-crl
https://github.com/OpenVPN/easy-rsa/wiki/EasyRSA-Renewal#-update-crl
(note that this comment simply indicates that gen-crl is an important part of ongoing maintenance, but this Wiki entry could also use a bit of context, since the output of easyrsa help gen-crl is simply: gen-crl Generate a CRL.).

The real fix seems to be to make SSL be able to parse the CRL after EASYRSA_CRL_DAYS, but an acceptable fix might simpy be to update the code comment to reflect the seriousness of this variable, such as:

# How many days until the next CRL publish date?  Note that the CRL will cease to 
# work after this timeframe passes. OpenVPN will respond to connection requests 
# with "VERIFY ERROR, CRL has expired" if the age of the CRL exceeds the days set.
#
#set_var EASYRSA_CRL_DAYS	180

Additionally, would you recommend that the value of 180 be increased to 825 or something high, to match the other defaults like EASYRSA_CERT_EXPIRE?

@TinCanTech
Copy link
Collaborator

I agree that the comment in the vars file could be improved.

FTR, this is not an easter-egg, this is how a CRL functions.

@TinCanTech TinCanTech self-assigned this Sep 26, 2024
@TinCanTech TinCanTech added this to the v3.2.2 milestone Sep 26, 2024
@TinCanTech TinCanTech changed the title EASYRSA_CRL_DAYS prevents all users from connecting Expired CRL file prevents all users from connecting to OpenVPN Server Sep 26, 2024
@dxdxdt
Copy link

dxdxdt commented Nov 10, 2024

I second this. Same issues with Dovecot. I reckon this is the default behaviour of OpenSSL.

@TinCanTech
Copy link
Collaborator

TinCanTech commented Nov 10, 2024

To clarify, OpenVPN behavior was changed in commit OpenVPN/openvpn@160504a.

This change invalidated this comment in Easy-RSA vars.example:

# How many days until the next CRL publish date?  Note that the CRL can still
# be parsed after this timeframe passes. It is only used for an expected next
# publication date.
#
#set_var EASYRSA_CRL_DAYS	180

This will be corrected before Easy-RSA release 3.2.2.

Also, improve the Easy-RSA command gen-crl output, to high-light this behavior change.

@dxdxdt
Copy link

dxdxdt commented Nov 10, 2024

@TinCanTech What are you doing on Sunday?!

Yes. The users should decide if they'd update CRL every 6 months or just set EASYRSA_CRL_DAYS with that of CA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants