Red Hat Bugzilla – Bug 996892
empty crl.pem file will make openvpn stop/crash
Last modified: 2017-05-11 16:54:56 EDT
Description of problem:
Setting up OpenVPN with an empty crl.pem file by adding
to the configuration makes the process stop/crash when a client connects.
I use an empty file because I haven't revoked any keys yet.
A workaround is to have at least 1 revoked (dummy) key in there.
Version-Release number of selected component (if applicable):
Wed Aug 14 10:33:06 2013 192.168.122.1:60067 CRL: cannot read CRL from file CA/crl.pem
Wed Aug 14 10:33:06 2013 192.168.122.1:60067 Exiting due to fatal error
Might be related to https://community.openvpn.net/openvpn/ticket/83
Can you test with 2.3.2-1 from updates testing?
I updated from epel-testing.
The exact same issue
Ok, I've commented on that bug.
This isn't really a bug. An empty CRL file is not a valid CRL file, so OpenVPN should complain and stop running so this can be fixed instantly.
The upstream Trac ticket seems somewhat related but it is actually a very different. That ticket is about a running server where the CRL file gets corrupted or becomes invalid. In that case, OpenVPN should _not_ stop, to allow established connections to keep going without any interruption.
What this ticket is about, is to start OpenVPN server with an empty CRL file, which should never be allowed.
My point is this:
> I use an empty file because I haven't revoked any keys yet.
Seems perfectly valid to me.
It would be rather clumsy to NOT has a crl configured at first, and then having to configure it once you start revoking keys.
An empty crl will allow a one-time setup and then simply putting the new crl file in place after revoking keys.
Personally I consider an empty crl perfectly valid and I think that OpenVPN should change to accept such a file.
I ran an extra check on OpenVPN v2.4.2 (released today) as the whole CRL handling have been changed in v2.4. Prior to v2.4, the CRL check was done internally in OpenVPN. From v2.4.0, the CRL checks have changed to use the SSL/TLS library's CRL validation (OpenSSL or mbed TLS).
With v2.4.2 built against OpenSSL 1.0, I see this in the log with an empty CRL file:
Thu May 11 22:46:13 2017 us=762534 CRL: cannot read CRL from file /tmp/empty.crl
I cannot guarantee that this will work if you later on update the CRL file with some revocations. But beware, this new CRL validation is actually much stricter than before, so now the CA must match the issuer of the CRL and the CRL cannot be expired, to mention a few of the issues people have complained about.
So it seems OpenSSL agrees with you, and it now works. So this issue is still closed.
A missing detail. OpenVPN does not stop running after that warning.