Hello list, Debian Buster, OpenVPN 2.4.0-6
In the man page there is an flag 'dir' to the option 'crl-verify': <quote> If the optional dir flag is specified, enable a different mode where crl is a directory containing files named as revoked serial numbers (the files may be empty, the contents are never read). If a client requests a connection, where the client certificate serial number (decimal string) is the name of a file present in the directory, it will be rejected. </quote> Ok, here we go: # grep crl-verify /etc/openvpn/server.conf crl-verify /etc/openvpn/crl dir I'd like to block cert with serial number 0B: # openssl x509 -noout -serial -in test.crt | \ sed 's/.*=//g;s/../&:/g;s/:$//' 0B AFAIU the manpage I only have to touch the file: # touch /etc/openvpn/crl/0B to prevent the cert with serial number 0B from connecting, but no way, I am still able to connect using this cert with serial 0B. Have I missed something crucial somwhere? R. -- richard lucassen http://contact.xaq.nl/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
