[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] easyrsa & crl-verify after demotion ?

  • Subject: Re: [Openvpn-users] easyrsa & crl-verify after demotion ?
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Mon, 13 Dec 2004 15:49:12 -0700 (MST)

On Mon, 13 Dec 2004, Steven Palm wrote:

> Maybe it's just my configuration, but I just re-created a new PKI using 
> the easy-rsa scripts. The issue is that the "keys" directory is 
> readable only by root, AS IT SHOULD BE, but if I tell openvpn to use 
> --crl-verify it doesn't do this until well after it's initialization, 
> only when a client connects. I think this makes sense from a timeline, 
> how can you verify what you don't know about? :-)  However, at this 
> point openvpn has demoted itself and so it cannot read the crl file 
> from inside the keys directory.
> As a temporary fix, I've changed the easy-rsa  openvpn.cnf  file to put 
> the crl.pem file out where it's not so highly protected and is readable 
> by a group that openvpn runs in.  Is this a good compromise?

That's fine.  Strictly speaking, in the key directory created by the
easy-rsa scripts, the only files which need to be protected from read
access are the private key files, i.e the files which end in .key.

The CRL file can be world-readable, and needs to be because it is accessed 
by OpenVPN for every client connection, and is not preloaded before 
privilege downgrade.  This is intentional so that changes to the CRL will 
immediately impact a running OpenVPN daemon.


Openvpn-users mailing list