frp
frp copied to clipboard
fatedier
Certificate Revocation List (CRL) Not Being Enforced in TLS Verification
Bug Description
Description
The FRP server is not enforcing Certificate Revocation List (CRL) checks during TLS handshake, allowing revoked client certificates to establish connections successfully.
Environment
- FRP Version: 0.54.0
- OS: Ubuntu (Server), Debian (Client)
- Architecture: amd64 (Server), arm64 (Client)
Current Behavior
When a client certificate is revoked and listed in the CRL, the FRP server still accepts connections from clients using that revoked certificate. This happens despite:
- The certificate being properly revoked
- The CRL being correctly generated and configured
- OpenSSL verify command confirming the certificate is revoked
Expected Behavior
The FRP server should reject connections from clients presenting revoked certificates during the TLS handshake.
frpc Version
0.54.0
frps Version
0.54.0
System Architecture
ubuntu/amd64 on server and debian/arm64 on client
Configurations
Server side frps.toml
bindAddr = "0.0.0.0" bindPort = 7000
auth.token = "***********************************"
webServer.addr = "0.0.0.0" webServer.port = 7500 webServer.user = "admin" webServer.password = "admin"
security.tls.certFile = "/etc/frp/ssl/cert.pem" security.tls.keyFile = "/etc/frp/ssl/server.key" security.tls.trustedCaFile = "/etc/frp/ssl/ca.pem" security.tls.clientCrlFile = "/etc/frp/ssl/ca.crl.der" security.tls.serverName = "frp.server" security.tlsOnly = true security.tls.requireAndVerifyClientCert = true security.tls.verifyDepth = 1
allowPorts = [ { start = 2201, end = 2300 }, { start = 8001, end = 8100 } ]
log.to = "console" log.level = "debug"
Client side frpc.toml
serverAddr = "MY_SERVER_PUBLIC_IP" bindPort = 7000
auth.token = "*****************************************"
security.tls.certFile = "/etc/frp/ssl/test-client.crt" security.tls.keyFile = "/etc/frp/ssl/test-client.key" security.tls.trustedCaFile = "/etc/frp/ssl/ca.pem" security.tls.serverName = "frp.server" security.tlsOnly = true
[[proxies]] name = "test-client" type = "tcp" localIP = "127.0.0.1" localPort = 22 remotePort = 2201
log.to = "console" log.level = "info"
Logs
OpenSSL verification shows certificate is revoked
$ openssl verify -CAfile ca.pem -crl_check_all -CRLfile ca.crl test-client.crt CN = test-client error 23 at 0 depth lookup: certificate revoked error test-client.crt: verification failed
Server Logs show successful connection despite revocation
2024/12/17 02:59:22 [I] [root.go:105] frps uses config file: /etc/frp/frps.toml 2024/12/17 02:59:22 [I] [service.go:225] frps tcp listen on 0.0.0.0:7000 2024/12/17 02:59:22 [I] [root.go:114] frps started successfully 2024/12/17 03:15:07 [I] [service.go:563] [client_id] client login info: ip [x.x.x.x:port] version [0.54.0] hostname [] os [linux] arch [arm64]
Certificate details
Certificate Serial: 02:e1:81:f4:11:6f:a2:27:88:28:9e:98:b8:f7:be:8b:bc:60:88:4b Listed in CRL with same serial number (confirmed revoked)
Additional Information
- CRL is properly formatted and readable (verified using openssl crl -in ca.crl -text -noout)
- Tried both PEM and DER formats for CRL
- Tested with additional TLS verification parameters (requireAndVerifyClientCert = true)
- OpenSSL command line tools correctly identify the certificate as revoked
- The issue persists across server restarts
Steps to reproduce
Steps to Reproduce
- Set up FRP server with TLS configuration:
security.tls.certFile = "/etc/frp/ssl/cert.pem"
security.tls.keyFile = "/etc/frp/ssl/server.key"
security.tls.trustedCaFile = "/etc/frp/ssl/ca.pem"
security.tls.clientCrlFile = "/etc/frp/ssl/ca.crl"
security.tls.serverName = "frp.server"
security.tlsOnly = true
### Affected area
- [ ] Docs
- [ ] Installation
- [ ] Performance and Scalability
- [X] Security
- [ ] User Experience
- [ ] Test and Release
- [ ] Developer Infrastructure
- [ ] Client Plugin
- [ ] Server Plugin
- [ ] Extensions
- [ ] Others
