git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Vladislav Grishenko <themiron@yandex-team.ru>
	Fri, 2 Oct 2020 21:51:46 +0000 (02:51 +0500)
committer	Gert Doering <gert@greenie.muc.de>
	Wed, 5 May 2021 20:09:04 +0000 (22:09 +0200)
commit	4c2549ba5d8b1b449acc62a46692345710965647
tree	7b486b05e9862249436688151e6b62fc11e33f31	tree
parent	0cbfa10e6aac01831bebe42ab33dc56c4704c1a6	commit \| diff

Add CRL extractor script for --crl-verify dir mode

When --crl-verify is enabled, specified CRL file gets reloaded on
every client connection. With huge CRL files it may take a significant
amount of time - seconds and tens of seconds, during which OpenVPN is
blocked and can't serve existing and/or incoming connections due its
singlethread nature.
In alternative mode --crl-verify option takes directory containing
files named as decimal serial numbers of the revoked certificates and
'dir' flag, revoked certificate check is being done by checking the
presence of client's certificate number in that directory.

This script allow to perform incremental extraction of revoked serial
numbers from CRL by adding absent ones and removing excess ones.

Usage example:
    extractcrl.py -f pem /path/to/crl.pem /path/to/outdir
    extractcrl.py -f der /path/to/crl.crl /path/to/outdir
    cat /path/to/crl.pem | extractcrl.py -f pem - /path/to/outdir
    cat /path/to/crl.crl | extractcrl.py -f der - /path/to/outdir

Output example:
    Loaded:  309797 revoked certs in 4.136s
    Scanned: 312006 files in 0.61s
    Created: 475 files in 0.05s
    Removed: 2684 files in 0.116s

Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201002215146.31324-1-themiron@yandex-team.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21154.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>