Problems with revoked certificate - Openssl

This is a discussion on Problems with revoked certificate - Openssl ; Hello I am using a debian pc with openssl and openvpn. The problem is I have revoked a user certificate but the user still has access to the vpn. In the crl.pem file appears the reference to this user. What ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Problems with revoked certificate

  1. Problems with revoked certificate


    Hello

    I am using a debian pc with openssl and openvpn. The problem is I have
    revoked a user certificate but the user still has access to the vpn. In the
    crl.pem file appears the reference to this user. What could It happen?

    Thank you http://www.nabble.com/file/p18487517/openssl.cnf openssl.cnf
    --
    View this message in context: http://www.nabble.com/Problems-with-...p18487517.html
    Sent from the OpenSSL - User mailing list archive at Nabble.com.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: Problems with revoked certificate

    On July 16, 2008 09:32:41 am albertlb wrote:
    > Hello
    >
    > I am using a debian pc with openssl and openvpn. The problem is I have
    > revoked a user certificate but the user still has access to the vpn. In the
    > crl.pem file appears the reference to this user. What could It happen?
    >
    > Thank you http://www.nabble.com/file/p18487517/openssl.cnf openssl.cnf


    If I am not mistaken, OpenVPN does not automatically fetch the new CRL, and
    must be told specifically to do CRL verification.

    So, if your CA is not on the OpenVPN machine (which would be a VERY good
    thing , you have to make sure that the CRL gets replicated from the CA out
    to the machine, and put in the location specified by the crl-verify option.

    As a note: This is an OpenVPN configuration question, not an OpenSSL
    question - you probably will get better support asking on the OpenVPN mailing
    list.

    Have fun.

    --
    Patrick Patterson
    President and Chief PKI Architect,
    Carillon Information Security Inc.
    http://www.carillon.ca
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: Problems with revoked certificate

    albertlb wrote:

    > I am using a debian pc with openssl and openvpn. The problem is I have
    > revoked a user certificate but the user still has access to the vpn. In the
    > crl.pem file appears the reference to this user. What could It happen?
    >
    > Thank you http://www.nabble.com/file/p18487517/openssl.cnf openssl.cnf


    Someone has already answered the CRL question, but I feel the need
    to point out that certificate validity isn't adequate for access
    authorization. That is, conflating authentication and authorization
    is usually a mistake.

    - M
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  4. Re: Problems with revoked certificate


    Thank you very much. I have enabled crl verification in the openvpn and now
    It works



    Patrick Patterson-3 wrote:
    >
    > On July 16, 2008 09:32:41 am albertlb wrote:
    >> Hello
    >>
    >> I am using a debian pc with openssl and openvpn. The problem is I have
    >> revoked a user certificate but the user still has access to the vpn. In
    >> the
    >> crl.pem file appears the reference to this user. What could It happen?
    >>
    >> Thank you http://www.nabble.com/file/p18487517/openssl.cnf openssl.cnf

    >
    > If I am not mistaken, OpenVPN does not automatically fetch the new CRL,
    > and
    > must be told specifically to do CRL verification.
    >
    > So, if your CA is not on the OpenVPN machine (which would be a VERY good
    > thing , you have to make sure that the CRL gets replicated from the CA
    > out
    > to the machine, and put in the location specified by the crl-verify
    > option.
    >
    > As a note: This is an OpenVPN configuration question, not an OpenSSL
    > question - you probably will get better support asking on the OpenVPN
    > mailing
    > list.
    >
    > Have fun.
    >
    > --
    > Patrick Patterson
    > President and Chief PKI Architect,
    > Carillon Information Security Inc.
    > http://www.carillon.ca
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >


    --
    View this message in context: http://www.nabble.com/Problems-with-...p18504076.html
    Sent from the OpenSSL - User mailing list archive at Nabble.com.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread