Open DeadPo01 opened 1 year ago
schwabe
commented
1 year ago I am not sure multiple CRLs for a CA are supported in OpenSSL. Also, you normally just one CRL. Is there any other software that support this setup? It would be probably better to look into oscp and implementing that than do try to get this weird delta CRL (I never heard of anyone doing that) to work.
flichtenheld
commented
1 year ago We just add the CRLs to OpenSSL's X509_STORE OpenSSL is responsible for using them correctly. What you describe is probably an internal OpenSSL behavior.
A quick Google search seems to suggest that multiple CRLs might work if they use the correct extensions to describe how they are limited but by default OpenSSL will just use the first valid CRL it finds for a CA.
DeadPo01
commented
1 year ago Openssl should not support multiple CRLs. Bot OpenVPN does!
In --capath may be multiple files with CRL.
In crl-verify file may be multiple CRLs concatenated and OpenVPN sees them (from log):
CRL: loaded 2 CRLs from file /etc/openvpn/ssl/crl.pem
So OpenVPN supports multiple CRLs, but uses only one of them - this is bug.
I think it shuld take them on by one from .pem file and pass it to openssl in loop.
DeadPo01
commented
1 year ago We just add the CRLs to OpenSSL's
X509_STOREOpenSSL is responsible for using them correctly. What you describe is probably an internal OpenSSL behavior.A quick Google search seems to suggest that multiple CRLs might work if they use the correct extensions to describe how they are limited but by default OpenSSL will just use the first valid CRL it finds for a CA.
Aha... now i understand, OpenVPN just passes ALL the CRLs to openssl and awaits answer from it, right? Handling of CRLs is fully on openssl?! So to openssl to rightly handle CRLs i shuld form them right to openssl to understand them?!
flichtenheld
commented
1 year ago We just add the CRLs to OpenSSL's
X509_STOREOpenSSL is responsible for using them correctly. What you describe is probably an internal OpenSSL behavior. A quick Google search seems to suggest that multiple CRLs might work if they use the correct extensions to describe how they are limited but by default OpenSSL will just use the first valid CRL it finds for a CA.Aha... now i understand, OpenVPN just passes ALL the CRLs to openssl and awaits answer from it, right? Handling of CRLs is fully on openssl?!
Yes, that is my understanding from the code.
So to openssl to rightly handle CRLs i shuld form them right to openssl to understand them?!
Yes. You could try with openssl verify to see whether that can handle your CRLs.
I have windows CA with 2 crls: one updates every 12 hours - "Delta" CRL and second updates every 5 days "main" crl. I concatenate them by openssl into one .pem file (just convert from DER to .pem and write into one crl.pem file) and OpenVPN server sees them, but blocking revoked certs only from one of them - "Delta" CRL. It doesn't matter which one standing first in .pem file: delta or main. OpenVPN server writes on load:
CRL: loaded 2 CRLs from file /etc/openvpn/ssl/crl.pemSo it can read them: delta and main. Here is ca/crl config:
Same behaviour with --capath and CRLs in ca_hash.r format.
Blocking users only from one CRL. From delta_crl (it has a smaller list of revoked certs), doesn't matter on which position it stands ca_hash.r0 or ca_hash.r1 . Bigger CRL (main) is ignored =(.
We have two CAs: RootCA and Issuing CA, CRLs are from Issuing CA. Root CRL is empty for now, but after some time it will be used to block clients in OpenVPN too, so it will be 3 CRLs.
CRLs works by one.
To Reproduce Make two CRLs from one CA, concatenate them in one PEM file for OpenVPN and try to connect with revoked certs that contained in bigger (i think) CRL...
Expected behavior Deny to connect anybody with revoked certificate contained in all CRLs from one CA
Version information (please complete the following information): OpenVPN 2.6.5 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10