The use of CRLs

This recipe shows how to configure OpenVPN to use a CRL. It uses the CRL created in the previous recipe. This recipe is an extension of the recipe Routing: masquerading in Chapter 2Client-server IP-only Networks, in the sense that the server and client configuration files are almost identical.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. Generate the CRL using the previous recipe. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.10. The client was running Fedora 22 Linux and OpenVPN 2.3.10. Keep the server configuration file basic-udp-server.conf from the Server-side routing recipe in Chapter 2Client-server IP-only Networks.

How to do it...

  1. Copy the generated CRL to a more public directory:
    [root@server]# cd /etc/openvpn/cookbook
    [root@server]# cp keys/crl.pem .
    
  2. Modify the server config file basic-udp-server.conf by adding the lines:
            crl-verify /etc/openvpn/cookbook/crl.pem 
    

    Save it as example4-6-server.conf.

  3. Start the server:
    [root@server]# openvpn --config example4-6-server.conf
    
  4. Next, create the client configuration file:
    client
    proto udp
            remote openvpnserver.example.com
            port 1194
            dev tun
            nobind
            remote-cert-tls server
            tls-auth /etc/openvpn/cookbook/ta.key 1
            ca       /etc/openvpn/cookbook/ca.crt
            cert     /etc/openvpn/cookbook/client4.crt
            key      /etc/openvpn/cookbook/client4.key
    

    And save it as example4-6-client.conf.

  5. Finally, start the client:
    [root@client]# openvpn --config example4-6-client.conf
    

The client will not be able to connect but instead, the server log file shows:

[...] TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL
       routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[...] TLS Error: TLS object -> incoming plaintext read error
[...] TLS Error: TLS handshake failed

This rather cryptic message proves that the client is not allowed to connect because the certificate is not valid.

How it works...

Each time a client connects to the OpenVPN server, the CRL is checked to see whether the client certificate is listed. If it is, the OpenVPN server simply refuses to accept the client certificate and the connection will not be established.

There's more...

Generating a CRL is one thing and keeping it up-to-date is another. It is very important to ensure that the CRL is kept up-to-date. For this purpose, it is best to set up a cron job that updates the server CRL file overnight. There is an outstanding bug in OpenVPN related to CRL updates: each time a client connects, the OpenVPN server tries to access the CRL file. If the file is not present or not accessible, then the OpenVPN server process aborts with an error. The proper behavior would be to temporarily refuse access to the clients but unfortunately, this is not the case.

See also

  • The recipe later in this chapter, Multiple CAs: stacking, using the -capath directive, in which a more advanced use of CA and CRL is explained
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.7.151