Hi, On 15/04/2021 11:34, Max Fillinger wrote: > Now that the path for the CRL file is handled correctly when using > chroot, there's no good reason for the file to be inaccessible during > ssl_init(). > > This commit ensures that the CRL file is accessed successfully at least > once, which fixes a bug where the mbedtls version of OpenVPN wouldn't > use a reloaded CRL if it initially failed to access the file. > > Signed-off-by: Max Fillinger <maximilian.fillin...@foxcrypto.com>
It simply does what it says: when calling init_ssl() upon instance initialization (i.e. upon openvpn startup, and upon USR1 on clients) if the CRL is not accessible, then openvpn will abort. This behaviour is what we need because "starting an instance without having the CRL where it is expected" is equivalent to a configuration error. Being unable to re-load the CRL at runtime is instead acceptable, because some subsystem might be just recreating the CRL, therefore openvpn will skip the reload and continue using what is currently in memory. The CRL will be reloaded at the next occasion. Acked-by: Antonio Quartulli <anto...@openvpn.net> -- Antonio Quartulli _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
