From: Michal Soltys <soltys@ziu.info>
Date: Tue, 9 Apr 2019 14:34:38 +0000 (+0200)
Subject: man: correct the description of --capath and --crl-verify regarding CRLs
X-Git-Tag: v2.5_beta1~306
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b3cfc43da3583ae8aa761beb29f016311b2ba64f;p=thirdparty%2Fopenvpn.git

man: correct the description of --capath and --crl-verify regarding CRLs

The man page states that when using --capath, the user is required to
provide CRLs for CAs. This is not true and providing CRLs is optional -
both in case of --capath as well as --crl-verify options. When relevant
CRL is not found OpenVPN simply logs the warning in the logs while
allowing the connection, e.g.:

VERIFY WARNING: depth=0, unable to get certificate CRL

This patch clarifies the behavior.

Signed-off-by: Michal Soltys <soltys@ziu.info>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190409143438.25348-2-soltys@ziu.info>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18343.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index ce440447f..9e152fbe6 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4598,11 +4598,8 @@ they are distributed with OpenVPN, they are totally insecure.
 Directory containing trusted certificates (CAs and CRLs).
 Not available with mbed TLS.
 
-When using the
-.B \-\-capath
-option, you are required to supply valid CRLs for the CAs too.  CAs in the
-capath directory are expected to be named <hash>.<n>.  CRLs are expected to
-be named <hash>.r<n>.  See the
+CAs in the capath directory are expected to be named <hash>.<n>. CRLs are
+expected to be named <hash>.r<n>. See the
 .B \-CApath
 option of
 .B openssl verify
@@ -4613,6 +4610,11 @@ option of
 and
 .B openssl crl
 for more information.
+
+Similarly to the
+.B \-\-crl\-verify
+option CRLs are not mandatory \- OpenVPN will log the usual warning in the logs
+if the relevant CRL is missing, but the connection will be allowed.
 .\"*********************************************************
 .TP
 .B \-\-dh file
@@ -5685,6 +5687,10 @@ overall integrity of the PKI.
 The only time when it would be necessary to rebuild the entire PKI from scratch would be
 if the root certificate key itself was compromised.
 
+The option is not mandatory \- if the relevant CRL is missing, OpenVPN will log
+a warning in the logs \- e.g. "\fIVERIFY WARNING: depth=0, unable to get
+certificate CRL\fR" \- but the connection will be allowed.
+
 If the optional
 .B dir
 flag is specified, enable a different mode where