Bug 996892 - empty crl.pem file will make openvpn stop/crash
empty crl.pem file will make openvpn stop/crash
Product: Fedora EPEL
Classification: Fedora
Component: openvpn (Show other bugs)
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Steven Pritchard
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-08-14 04:52 EDT by Ferry Huberts
Modified: 2017-05-11 16:54 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-05-11 16:34:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ferry Huberts 2013-08-14 04:52:49 EDT
Description of problem:
Setting up OpenVPN with an empty crl.pem file by adding
  crl-verify  CA/crl.pem
to the configuration makes the process stop/crash when a client connects.

I use an empty file because I haven't revoked any keys yet.

A workaround is to have at least 1 revoked (dummy) key in there.

Version-Release number of selected component (if applicable):
openvpn.x86_64   2.3.1-3.el6

How reproducible:

Actual results:
Wed Aug 14 10:33:06 2013 CRL: cannot read CRL from file CA/crl.pem
Wed Aug 14 10:33:06 2013 Exiting due to fatal error

Additional info:
Might be related to https://community.openvpn.net/openvpn/ticket/83
Comment 1 Gwyn Ciesla 2013-08-14 08:45:42 EDT
Can you test with 2.3.2-1 from updates testing?
Comment 2 Ferry Huberts 2013-08-14 08:53:34 EDT
I updated from epel-testing.

The exact same issue
Comment 3 Gwyn Ciesla 2013-08-14 10:31:46 EDT
Ok, I've commented on that bug.
Comment 4 David Sommerseth 2017-05-11 16:34:20 EDT
This isn't really a bug.  An empty CRL file is not a valid CRL file, so OpenVPN should complain and stop running so this can be fixed instantly.

The upstream Trac ticket seems somewhat related but it is actually a very different.  That ticket is about a running server where the CRL file gets corrupted or becomes invalid.  In that case, OpenVPN should _not_ stop, to allow established connections to keep going without any interruption.

What this ticket is about, is to start OpenVPN server with an empty CRL file, which should never be allowed.
Comment 5 Ferry Huberts 2017-05-11 16:41:56 EDT
My point is this:

> I use an empty file because I haven't revoked any keys yet.

Seems perfectly valid to me.

It would be rather clumsy to NOT has a crl configured at first, and then having to configure it once you start revoking keys.

An empty crl will allow a one-time setup and then simply putting the new crl file in place after revoking keys.

Personally I consider an empty crl perfectly valid and I think that OpenVPN should change to accept such a file.
Comment 6 David Sommerseth 2017-05-11 16:53:39 EDT
I ran an extra check on OpenVPN v2.4.2 (released today) as the whole CRL handling have been changed in v2.4.  Prior to v2.4, the CRL check was done internally in OpenVPN.  From v2.4.0, the CRL checks have changed to use the SSL/TLS library's CRL validation (OpenSSL or mbed TLS).

With v2.4.2 built against OpenSSL 1.0, I see this in the log with an empty CRL file:

Thu May 11 22:46:13 2017 us=762534 CRL: cannot read CRL from file /tmp/empty.crl

I cannot guarantee that this will work if you later on update the CRL file with some revocations.  But beware, this new CRL validation is actually much stricter than before, so now the CA must match the issuer of the CRL and the CRL cannot be expired, to mention a few of the issues people have complained about.

So it seems OpenSSL agrees with you, and it now works.  So this issue is still closed.
Comment 7 David Sommerseth 2017-05-11 16:54:56 EDT
A missing detail.  OpenVPN does not stop running after that warning.

Note You need to log in before you can comment on or make changes to this bug.