Bug 996892 - empty crl.pem file will make openvpn stop/crash
Summary: empty crl.pem file will make openvpn stop/crash
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: openvpn
Version: el6
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Steven Pritchard
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-14 08:52 UTC by Ferry Huberts
Modified: 2017-05-11 20:54 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-11 20:34:20 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Ferry Huberts 2013-08-14 08:52:49 UTC
Description of problem:
Setting up OpenVPN with an empty crl.pem file by adding
  crl-verify  CA/crl.pem
to the configuration makes the process stop/crash when a client connects.

I use an empty file because I haven't revoked any keys yet.

A workaround is to have at least 1 revoked (dummy) key in there.


Version-Release number of selected component (if applicable):
openvpn.x86_64   2.3.1-3.el6

How reproducible:
always

Actual results:
Wed Aug 14 10:33:06 2013 192.168.122.1:60067 CRL: cannot read CRL from file CA/crl.pem
Wed Aug 14 10:33:06 2013 192.168.122.1:60067 Exiting due to fatal error



Additional info:
Might be related to https://community.openvpn.net/openvpn/ticket/83

Comment 1 Gwyn Ciesla 2013-08-14 12:45:42 UTC
Can you test with 2.3.2-1 from updates testing?

Comment 2 Ferry Huberts 2013-08-14 12:53:34 UTC
I updated from epel-testing.

The exact same issue

Comment 3 Gwyn Ciesla 2013-08-14 14:31:46 UTC
Ok, I've commented on that bug.

Comment 4 David Sommerseth 2017-05-11 20:34:20 UTC
This isn't really a bug.  An empty CRL file is not a valid CRL file, so OpenVPN should complain and stop running so this can be fixed instantly.

The upstream Trac ticket seems somewhat related but it is actually a very different.  That ticket is about a running server where the CRL file gets corrupted or becomes invalid.  In that case, OpenVPN should _not_ stop, to allow established connections to keep going without any interruption.

What this ticket is about, is to start OpenVPN server with an empty CRL file, which should never be allowed.

Comment 5 Ferry Huberts 2017-05-11 20:41:56 UTC
My point is this:

> I use an empty file because I haven't revoked any keys yet.

Seems perfectly valid to me.

It would be rather clumsy to NOT has a crl configured at first, and then having to configure it once you start revoking keys.

An empty crl will allow a one-time setup and then simply putting the new crl file in place after revoking keys.

Personally I consider an empty crl perfectly valid and I think that OpenVPN should change to accept such a file.

Comment 6 David Sommerseth 2017-05-11 20:53:39 UTC
I ran an extra check on OpenVPN v2.4.2 (released today) as the whole CRL handling have been changed in v2.4.  Prior to v2.4, the CRL check was done internally in OpenVPN.  From v2.4.0, the CRL checks have changed to use the SSL/TLS library's CRL validation (OpenSSL or mbed TLS).

With v2.4.2 built against OpenSSL 1.0, I see this in the log with an empty CRL file:

Thu May 11 22:46:13 2017 us=762534 CRL: cannot read CRL from file /tmp/empty.crl

I cannot guarantee that this will work if you later on update the CRL file with some revocations.  But beware, this new CRL validation is actually much stricter than before, so now the CA must match the issuer of the CRL and the CRL cannot be expired, to mention a few of the issues people have complained about.

So it seems OpenSSL agrees with you, and it now works.  So this issue is still closed.

Comment 7 David Sommerseth 2017-05-11 20:54:56 UTC
A missing detail.  OpenVPN does not stop running after that warning.


Note You need to log in before you can comment on or make changes to this bug.