kylemanna/docker-openvpn

Expired CRLs will prevent clients from re-connecting

Open

#274 建立於 2017年5月30日

在 GitHub 查看
 (8 留言) (0 反應) (0 負責人)Shell (8,506 star) (2,336 fork)batch import
bughelp wanted

描述

I encountered an error with an old CRL from a long time ago that prevents clients from connecting

May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS: Initial packet from [AF_INET]1.2.3.4:55195, sid=50cd0150 294bdcea
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 VERIFY ERROR: depth=0, error=CRL has expired: CN=someserver
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 OpenSSL: error:140360B2:SSL routines:ACCEPT_SR_CERT:no certificate returned
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS_ERROR: BIO read tls_read_plaintext error
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS Error: TLS object -> incoming plaintext read error
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS Error: TLS handshake failed

Manually regenerating the CRL and copying it in to place resolved the issue. Only people who generate a CRL and then let is expire without re-generating it (primarily by revoking certs) will encounter this bug.

I'm not sure how to handle this as re-generating the CRL will require the CA private key passphrase and can't be done automatically.

貢獻者指南

技術棧
shelldocker
領域
backendinfrastructuresecurity
議題類型
bug
難度面向新貢獻者的預計實作難度,1 表示很小改動,5 表示專家級工作。
4
預計時間有經驗貢獻者完成調查、實作、測試並準備 pull request 的粗略時間範圍。
1-2 days
活動狀態議題目前的可參與程度:新鮮、活躍、陳舊、阻塞或等待維護者輸入。
stale
清晰度議題是否清楚說明預期改動、驗收標準和下一步。
clear
前置要求
OpenVPN CRL handlingDocker container managementTLS/SSL basicsEasyRSA PKI
新手友善度1-100 的估計分數,表示該議題對首次貢獻者的友善程度。
20
研究方向
The issue reports that expired CRLs cause connection failures. The fix likely involves checking CRL expiry on startup and either warning or automatically regenerating the CRL. Since regenerating requires the CA private key, an automatic solution is not trivial. Investigate the current repository code (e.g., the entrypoint script) to see if there is already a check for CRL expiry. Look at linked issues or PRs for any prior work. The maintainer has not responded, so a proposed solution would need to handle the expired CRL gracefully, perhaps by logging a warning and refusing to start if the CRL is expired, or by providing a mechanism to disable CRL checking when it is not needed.