Hello,
I think there is a security issue with the crl-verify code. OpenVPN only
check the issuer of the CRL, but not the CRL signature.
If you sign a CRL with another CA (even self signed) which have the same
DN than the certificate issuer, OpenVPN accept it as a good CRL : the
server or the client do not log any error... So, an attacker can easely
produce such a false CRL, nobody can see the attack.
The CRL must be validated : OpenVPN must verify it has been signed by
one of the CAs indicated in --ca.
Looking in the "racoon" code, I think that CRL handling is easier with
new versions of openssl (>= 0.9.7)
(...)
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
#endif
(...)
With this kind of X509_STORE_CTX, openssl automagically manage all CA
and all CRL included in a "CAPath".
Thx,
--
Thomas NOEL <thomas.n...@auf.org> http://www.auf.org/
Coordinateur des infrastructures techniques
Agence universitaire de la Francophonie (AUF)
Services centraux Paris - 4 place de la Sorbonne - 75005 Paris
Tél: +33 (0)1 44 41 18 18, poste 1822 Tlc: +33(0)1 44 41 18 19
> Merci d'éviter de m'envoyer des documents Word ou PowerPoint
> cf http://www.gnu.org/philosophy/no-word-attachments.fr.html
