From 3f72b838fd505dbd898cced364a655eef08a8c27 Mon Sep 17 00:00:00 2001 From: Michal Soltys Date: Tue, 9 Apr 2019 16:34:38 +0200 Subject: [PATCH] man: correct the description of --capath and --crl-verify regarding CRLs The man page states that when using --capath, the user is required to provide CRLs for CAs. This is not true and providing CRLs is optional - both in case of --capath as well as --crl-verify options. When relevant CRL is not found OpenVPN simply logs the warning in the logs while allowing the connection, e.g.: VERIFY WARNING: depth=0, unable to get certificate CRL This patch clarifies the behavior. Signed-off-by: Michal Soltys Acked-by: Arne Schwabe Message-Id: <20190409143438.25348-2-soltys@ziu.info> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18343.html Signed-off-by: Gert Doering (cherry picked from commit b3cfc43da3583ae8aa761beb29f016311b2ba64f) --- doc/openvpn.8 | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index ad8268cbd..16620062d 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4625,11 +4625,8 @@ they are distributed with OpenVPN, they are totally insecure. Directory containing trusted certificates (CAs and CRLs). Not available with mbed TLS. -When using the -.B \-\-capath -option, you are required to supply valid CRLs for the CAs too. CAs in the -capath directory are expected to be named .. CRLs are expected to -be named .r. See the +CAs in the capath directory are expected to be named .. CRLs are +expected to be named .r. See the .B \-CApath option of .B openssl verify @@ -4640,6 +4637,11 @@ option of and .B openssl crl for more information. + +Similarly to the +.B \-\-crl\-verify +option CRLs are not mandatory \- OpenVPN will log the usual warning in the logs +if the relevant CRL is missing, but the connection will be allowed. .\"********************************************************* .TP .B \-\-dh file @@ -5611,6 +5613,10 @@ overall integrity of the PKI. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. +The option is not mandatory \- if the relevant CRL is missing, OpenVPN will log +a warning in the logs \- e.g. "\fIVERIFY WARNING: depth=0, unable to get +certificate CRL\fR" \- but the connection will be allowed. + If the optional .B dir flag is specified, enable a different mode where -- 2.47.2