kylemanna/docker-openvpn

Expired CRLs will prevent clients from re-connecting

Open

#274 aberto em 30 de mai. de 2017

Ver no GitHub
 (8 comments) (0 reactions) (0 assignees)Shell (2.336 forks)batch import
bughelp wanted

Métricas do repositório

Stars
 (8.506 stars)
Métricas de merge de PR
 (Nenhuma PRs mesclada em 30d)

Description

I encountered an error with an old CRL from a long time ago that prevents clients from connecting

May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS: Initial packet from [AF_INET]1.2.3.4:55195, sid=50cd0150 294bdcea
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 VERIFY ERROR: depth=0, error=CRL has expired: CN=someserver
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 OpenSSL: error:140360B2:SSL routines:ACCEPT_SR_CERT:no certificate returned
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS_ERROR: BIO read tls_read_plaintext error
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS Error: TLS object -> incoming plaintext read error
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS Error: TLS handshake failed

Manually regenerating the CRL and copying it in to place resolved the issue. Only people who generate a CRL and then let is expire without re-generating it (primarily by revoking certs) will encounter this bug.

I'm not sure how to handle this as re-generating the CRL will require the CA private key passphrase and can't be done automatically.

Guia do colaborador