openvpn crl-verify crl ['dir'] 使用指定目录,重启后无效。

王大大仙 发布于 2017/11/24 15:04
阅读 271
收藏 0

@China_OS 你好,想跟你请教个问题:

openvpn crl-verify crl ['dir'] 使用指定目录,重启后无效。

以下是官方文档

--crl-verify crl ['dir']

Check peer certificate against the file crl in PEM format.

A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact.

Suppose you had a PKI consisting of a CA, root certificate, and a number of client certificates. Suppose a laptop computer containing a client key and certificate was stolen. By adding the stolen certificate to the CRL file, you could reject any connection which attempts to use it, while preserving the overall integrity of the PKI.

The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised.

If the optional dir flag is specified, enable a different mode where crl is a directory containing files named as revoked serial numbers (the files may be empty, the contents are never read). If a client requests a connection, where the client certificate serial number (decimal string) is the name of a file present in the directory, it will be rejected.

Note: As the crl file (or directory) is read every time a peer connects, if you are dropping root privileges with --user, make sure that this user has sufficient privileges to read the file.

Security considerations

--crl-verify does not check whether the CRL is correctly signed by the CA. It merely checks that the CRL issuers matches the CA CN. Therefore, users should ensure that the supplied CRL is correct.

OpenVPN 2.4 and newer resolve this issue.

加载中
0
China_OS
China_OS

无效?有没有异常信息

China_OS
China_OS
回复 @王大大仙 : 没报错信息,是不是配置问题?看你的描述是根本没生效?
王大大仙
王大大仙
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
王大大仙
王大大仙
就是不起作用,我想实现的是用第二种方式实现控制vpn client证书的有效性,同时vpn服务器不需要每次都重启。
王大大仙
王大大仙
定义的log文件没有异常记录,服务正常启动。
返回顶部
顶部