Hi,
On Fri, Apr 17, 2020 at 03:40:12AM +0100, tincanteksup wrote:
> Missing the point completely.
>
> *Why* does openvpn expect a decimal value for something which is clearly
> intended to be and is at source Hex.
It is a *number*. Whether a particular frontend presents it as "hex" is
a matte
Hi,
On Thu, Apr 16, 2020 at 10:41 PM tincanteksup wrote:
>
> Missing the point completely.
>
> *Why* does openvpn expect a decimal value for something which is clearly
> intended to be and is at source Hex.
What the the ideal format should be is arguable, but the "source" is
not in hex. Serial n
Missing the point completely.
*Why* does openvpn expect a decimal value for something which is clearly
intended to be and is at source Hex.
On 16/04/2020 20:25, Joe Patterson wrote:
My first thought is "I should be trivial to write a little script to
go through and link the decimal name to t
On Thu, 16 Apr 2020 12:02:17 +0200
richard lucassen wrote:
>
> If the optional dir flag is specified, enable a different mode where
> crl is a directory containing files named as revoked serial numbers
> (the files may be empty, the contents are never read). If a client
> requests a connection,
On Thu, 16 Apr 2020 15:25:38 -0400
Joe Patterson wrote:
> My first thought is "I should be trivial to write a little script to
> go through and link the decimal name to the hex name", and even
> though, intellectually, I know that the chance of a collision between
> hex and dec names in that larg
My first thought is "I should be trivial to write a little script to
go through and link the decimal name to the hex name", and even
though, intellectually, I know that the chance of a collision between
hex and dec names in that large a space would be infinitesimal, it
still manages to really bothe
Hi,
On 16/04/2020 19:52, richard lucassen wrote:
On Thu, 16 Apr 2020 12:02:17 +0200
richard lucassen wrote:
Yeah right:
cd /etc/openvpn/crl/tun0/
mv 0B 11
Now it works. The serial number must be decimal.
Which is even more 'fun' with randomised serial numbers, eg:
94:68:4a:17:db:99:a7:36
On Thu, 16 Apr 2020 14:29:38 -0400
Selva Nair wrote:
> > # touch /etc/openvpn/crl/0B
>
> IIRC, you have to use the decimal representation of the serial.
I just found out, I saw your post too late. That was it indeed.
Thnx!
R.
--
richard lucassen
http://contact.xaq.nl/
On Thu, 16 Apr 2020 12:02:17 +0200
richard lucassen wrote:
Yeah right:
cd /etc/openvpn/crl/tun0/
mv 0B 11
Now it works. The serial number must be decimal.
R.
--
richard lucassen
http://contact.xaq.nl/
___
Openvpn-users mailing list
Openvpn-users@
Hi,
>
> If the optional dir flag is specified, enable a different mode where
> crl is a directory containing files named as revoked serial numbers
> (the files may be empty, the contents are never read). If a client
> requests a connection, where the client certificate serial number
> (decimal s
On Thu, 16 Apr 2020 19:49:42 +0200
Gert Doering wrote:
> On Thu, Apr 16, 2020 at 12:58:35PM +0200, Dajka Tamás wrote:
> > If it cannot read the crl file, than that's a problem :) Check, if
> > all directory is world readable (not just the crl, but all
> > 'upstream' directories, like /etc, /etc/o
On Thu, 16 Apr 2020 19:34:21 +0200
Dajka Tamás wrote:
> Is selinux/apparmod enabled? That can prevent the openvpn process to
> read the file.
>
> I know you've check the files/dirs, but it's always a good idea to
> check it with the actual user accessing it; it's too easy to
> overlook/miss some
Hi,
On Thu, Apr 16, 2020 at 12:58:35PM +0200, Dajka Tamás wrote:
> If it cannot read the crl file, than that's a problem :) Check, if all
> directory is world readable (not just the crl, but all 'upstream'
> directories, like /etc, /etc/openvpn ... !)
--chroot in use? --chdir, and no absolute pa
ichard lucassen [mailto:mailingli...@lucassen.org]
Sent: Thursday, April 16, 2020 7:16 PM
To: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 13:38:39 +0200
Dajka Tamás wrote:
> Still does NOT work? You mean, you are able to connect?
Yep. And according t
On Thu, 16 Apr 2020 14:59:34 +0200
Antonio Quartulli wrote:
> > If u can't restart the server how can you test? Changing the server
> > side requires reboot.
>
> This is not the case for CRLs and CRL directories. The server will get
> the freshest data even without reboot.
Correct, but adding "
On Thu, 16 Apr 2020 13:38:39 +0200
Dajka Tamás wrote:
> Still does NOT work? You mean, you are able to connect?
Yep. And according to the man page the server should reject certificate
with serial 0B if a file exists in crl/0B (file can be empty)
> If u can't restart the server how can you test?
Hi,
On 16/04/2020 13:38, Dajka Tamás wrote:
> Still does NOT work? You mean, you are able to connect?
>
> If u can't restart the server how can you test? Changing the server side
> requires reboot.
This is not the case for CRLs and CRL directories. The server will get
the freshest data even with
riginal Message-
From: richard lucassen [mailto:mailingli...@lucassen.org]
Sent: Thursday, April 16, 2020 1:07 PM
To: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 13:00:53 +0200
richard lucassen wrote:
> On Thu, 16 Apr 2020 12:50:
On Thu, 16 Apr 2020 13:00:53 +0200
richard lucassen wrote:
> On Thu, 16 Apr 2020 12:50:30 +0200
> richard lucassen wrote:
>
> When adding the option on the CLI I see that it reads the option:
>
> # openvpn --crl-verify /etc/openvpn/crl/tun0 dir \
> --config /etc/openvpn/server.conf | grep -i
On Thu, 16 Apr 2020 12:58:35 +0200
Dajka Tamás wrote:
> If it cannot read the crl file, than that's a problem :) Check, if all
> directory is world readable (not just the crl, but all 'upstream'
> directories, like /etc, /etc/openvpn ... !)
That is all ok. It is all 755 for dirs and 644 for file
On Thu, 16 Apr 2020 12:50:30 +0200
richard lucassen wrote:
When adding the option on the CLI I see that it reads the option:
# openvpn --crl-verify /etc/openvpn/crl/tun0 dir \
--config /etc/openvpn/server.conf | grep -i crl
Thu Apr 16 12:56:01 2020 us=442959 crl_file = '/etc/openvpn/crl/tun
April 16, 2020 12:51 PM
To: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 12:30:48 +0200
Dajka Tamás wrote:
> why not simply using a CRL file and revoke the unneeded certificate?
Because it's a nice and simple option ;-)
> To debu
On Thu, 16 Apr 2020 12:30:48 +0200
Dajka Tamás wrote:
> why not simply using a CRL file and revoke the unneeded certificate?
Because it's a nice and simple option ;-)
> To debug the issue, I think we'll need some logs with 'verb 4' - at
> least from the server side.
Even with "verb 9" there is
Hi,
why not simply using a CRL file and revoke the unneeded certificate?
To debug the issue, I think we'll need some logs with 'verb 4' - at least
from the server side.
Cheers,
Tom
-Original Message-
From: richard lucassen [mailto:mailingli...@lucassen.org]
Sent: Thursday, Apr
David Sommerseth wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 03/02/15 10:10, Marine B wrote:
>
>> Good morning,
>>
>> I would like to know if it is possible to specifiy the revocation
>> list by using a remote file. I hqve more thqn one server, so far
>> I'm pushing them the
Thanks for your answers
2015-02-03 13:56 GMT+01:00 David Sommerseth :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 03/02/15 10:10, Marine B wrote:
> > Good morning,
> >
> > I would like to know if it is possible to specifiy the revocation
> > list by using a remote file. I hqve more t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/02/15 10:10, Marine B wrote:
> Good morning,
>
> I would like to know if it is possible to specifiy the revocation
> list by using a remote file. I hqve more thqn one server, so far
> I'm pushing them the revocqtion list every time I revoke a
>
27 matches
Mail list logo
