diff options
| author | Steffan Karger <steffan.karger@fox-it.com> | 2014-07-06 11:27:21 +0200 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2014-07-10 21:18:00 +0200 |
| commit | d860ee4a4c2cac03a872f07a9e629b56f3158b8b (patch) | |
| tree | c981ea77eff4dbc0596e4d5cd6c496e8092d22eb | |
| parent | f4e0ad82b0eaccce965074c1ceec2b7e3853dc0d (diff) | |
| download | openvpn-d860ee4a4c2cac03a872f07a9e629b56f3158b8b.tar.gz openvpn-d860ee4a4c2cac03a872f07a9e629b56f3158b8b.tar.xz openvpn-d860ee4a4c2cac03a872f07a9e629b56f3158b8b.zip | |
Don't exit daemon if opening or parsing the CRL fails.
As requested in trac ticket #83, the daemon should not exit if opening the
CRL file during a connection attempt fails; OpenVPN should merely deny the
connection.
CRL files need to be periodically updated. When users update their CRL in
place and a connection attempt takes place simultaneously, the CRL file
might temporarily not be available, or not be in a consistent state.
Previously, that would result in the daemon exiting. With this patch, that
results in one (or possibly a few) failed connection attempts, but service
will restore automatically as soon as the CRL is again available in a valid
state.
Note that on startup OpenVPN still checks the existence and accessibility
of the CRL file, and will refuse to start on error.
While I was touching the code, I improved error reporting for the PolarSSL
code a bit. The polar code opens and parses the CRL in a single call, so
on error retrieve details from polarssl and report those to the user.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BED57C.7070300@fox-it.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
| -rw-r--r-- | src/openvpn/ssl_verify_openssl.c | 4 | ||||
| -rw-r--r-- | src/openvpn/ssl_verify_polarssl.c | 7 |
2 files changed, 7 insertions, 4 deletions
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 2482eaa..cbcff02 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -591,12 +591,12 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) in = BIO_new_file (crl_file, "r"); if (in == NULL) { - msg (M_ERR, "CRL: cannot read: %s", crl_file); + msg (M_WARN, "CRL: cannot read: %s", crl_file); goto end; } crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); if (crl == NULL) { - msg (M_ERR, "CRL: cannot read CRL from file %s", crl_file); + msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file); goto end; } diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c index 7e8b517..2b7c214 100644 --- a/src/openvpn/ssl_verify_polarssl.c +++ b/src/openvpn/ssl_verify_polarssl.c @@ -371,9 +371,12 @@ x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject) result_t retval = FAILURE; x509_crl crl = {0}; - if (x509_crl_parse_file(&crl, crl_file) != 0) + int polar_retval = x509_crl_parse_file(&crl, crl_file); + if (polar_retval != 0) { - msg (M_ERR, "CRL: cannot read CRL from file %s", crl_file); + char errstr[128]; + polarssl_strerror(polar_retval, errstr, sizeof(errstr)); + msg (M_WARN, "CRL: cannot read CRL from file %s (%s)", crl_file, errstr); goto end; } |