easy-rsa icon indicating copy to clipboard operation
easy-rsa copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

Expired CRL file prevents all users from connecting to OpenVPN Server

Open twocs opened this issue 1 year ago • 1 comments

The easy-rsa/easyrsa3/vars.example file describes EASYRSA_CRL_DAYS as a soft problem. But in reality it appears to prevent anyone from connecting to the server. I don't expect it's a fun Easter egg to discover when our VPN servers fail just because we trusted the defaults and nobody has left the company in 180 days.

# How many days until the next CRL publish date?  Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.

#set_var EASYRSA_CRL_DAYS       180

In my opinion, the code comment that "the CRL can still be parsed", does not match the actuality that everyone's getting a CRL expired error, precluding accessing the server. I believe that the code comment was written prior to OpenVPN 2.4 when the CRL method became "processed much more rigidly than before" https://community.openvpn.net/openvpn/wiki/CertificateRevocationListExpired.

Other people describe the actual behaviour of this environment variable as:

make client fail to connect if the date past https://github.com/pivpn/pivpn/issues/567#issuecomment-417159009

all VPN connections went down https://www.reddit.com/r/OpenVPN/comments/11951c8/is_this_a_maintenance_item_easyrsa_gencrl/

my clients cannot connect... Debian [said] i should regenerate the CRL because it expired https://forums.openvpn.net/viewtopic.php?t=23166#p67004

no further connections are allowed, even if other certs/keys themselves are still valid https://forums.openvpn.net/viewtopic.php?t=27090#p81328

See easyrsa help gen-crl https://github.com/OpenVPN/easy-rsa/wiki/EasyRSA-Renewal#-update-crl (note that this comment simply indicates that gen-crl is an important part of ongoing maintenance, but this Wiki entry could also use a bit of context, since the output of easyrsa help gen-crl is simply: gen-crl Generate a CRL.).

The real fix seems to be to make SSL be able to parse the CRL after EASYRSA_CRL_DAYS, but an acceptable fix might simpy be to update the code comment to reflect the seriousness of this variable, such as:

# How many days until the next CRL publish date?  Note that the CRL will cease to 
# work after this timeframe passes. OpenVPN will respond to connection requests 
# with "VERIFY ERROR, CRL has expired" if the age of the CRL exceeds the days set.
#
#set_var EASYRSA_CRL_DAYS	180

Additionally, would you recommend that the value of 180 be increased to 825 or something high, to match the other defaults like EASYRSA_CERT_EXPIRE?

twocs avatar Sep 24 '24 09:09 twocs