After a lot of discussion on IRC on Friday, here's a new attempt at fixing the mbedtls certificate reloading issue.
To sum up the background: Compumatica discovered the following pair of bugs in OpenVPN-NL, which are also present in stock OpenVPN with mbedtls. 1) With mbedtls, if the CRL file can't be accessed during init_ssl(), OpenVPN will read the file in tls_process() when it becomes available later, but it will not actually use it. This situation is likely to happen when running in a chroot because of the second bug. 2) OpenVPN attempts to read the CRL file in init_ssl() before chroot-ing and tries to access the path outside of the chroot directory. For example, let's say we have the CRL file in "/chroot/crl.pem", and we run OpenVPN with "--chroot /chroot/" and "--crl-verify /crl.pem". During option validation, OpenVPN will check that "/chroot/crl.pem" exists. Pre-chroot, it will try to access "/crl.pem", which fails. Post-chroot, it opens the file. Bug 2) is present in OpenVPN with OpenSSL, too, but OpenSSL actually uses the reloaded CRL from tls_process(), so the only consequence is a warning message in the logs. The first patch fixes bug 2) by prefixing the path to the chroot directory to the CRL file when we're running init_ssl() pre-chroot. By itself, this makes it much more difficult to trigger bug 1). The second patch makes OpenVPN abort in init_ssl() if the CRL file cannot be accessed. Now that the path is handled correctly pre- and post-chroot, there is no good reason why accessing it should fail. This fixes bug 1). Max Fillinger (2): In init_ssl, open the correct CRL path pre-chroot Abort if CRL file can't be stat-ed in init_ssl src/openvpn/init.c | 3 ++- src/openvpn/misc.c | 11 +++++++++++ src/openvpn/misc.h | 7 +++++++ src/openvpn/options.c | 8 +------- src/openvpn/ssl.c | 37 ++++++++++++++++++++++++++++++++----- src/openvpn/ssl.h | 2 +- 6 files changed, 54 insertions(+), 14 deletions(-) -- 2.11.0 _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
