Document that OpenVPN 2.3 does not check the CRL signature

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494445844-8327-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14626.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 612cdddc3817b271ad6608aa9da8342b7f3ae3da..284e8e628dc35764908c432b83a2d9e1a16be5c5 100644 (file)
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -5208,6 +5208,15 @@ Note: As the crl file (or directory) is read every time a peer connects,
 if you are dropping root privileges with
 .B \-\-user,
 make sure that this user has sufficient privileges to read the file.
+
+.B Security considerations
+
+.B \-\-crl\-verify
+does not check whether the CRL is correctly signed by the CA.  It merely checks
+that the CRL issuers matches the CA CN.  Therefore, users should ensure that
+the supplied CRL is correct.
+
+OpenVPN 2.4 and newer resolve this issue.
 .\"*********************************************************
 .SS SSL Library information:
 .\"*********************************************************