Giter Club home page Giter Club logo

Comments (7)

mathiasertl avatar mathiasertl commented on June 21, 2024

Hi @kevin-olbrich,

Thanks of course for your report! I will add flag like this to the view and to the dump_crl command, allowing you to create CRLs without an IDP.

Can I ask you for more information so that I can reproduce this? In #64 and other issues I did add test cases to make sure that the use case is covered. To do the same here, I of course need to be able to reproduce this. (and who knows, maybe I can even help you improve your OpenVPN configuration ;-))

kr, Mat

from django-ca.

mathiasertl avatar mathiasertl commented on June 21, 2024

@kevin-olbrich, while starting to look into this, I discovered that it is currently indeed possible to create a view that does not include the extension: All you have to do is set the scope of the view to None, e.g.

views.CertificateRevocationListView.as_view(scope=None)

When using the dump_crl command, you should get a similar outcome if you simply don't pass the --scope parameter.

I will however still add a flag for this, as this extension certainly caused trouble in the past.

from django-ca.

mathiasertl avatar mathiasertl commented on June 21, 2024

(The current commit just adds a flag to the dump_crl command, the view is still missing)

from django-ca.

mathiasertl avatar mathiasertl commented on June 21, 2024

This time fixed for real! Feature is implemented and will be included in the next release!

However, I'm still hoping for more input so that I can reproduce your setup in automated tests.

from django-ca.

kevin-olbrich avatar kevin-olbrich commented on June 21, 2024

However, I'm still hoping for more input so that I can reproduce your setup in automated tests.

Actually it is not very complicated. I created a root CA on CLI (without intermediaries). I then copied the CA cert available via URL to the OpenVPN server. When I added crl-verify for OpenVPN (crl is downloaded using cron), it always failed when connecting with a valid certificate. Actually it is related to the problem in #64.

OpenVPN validates the IDP using OpenSSL if it is present in the CRL. At least for me, it was not present or did not match in the root certificate and thus failed verification.

As the download happens in the background and blocking all connections because of an error in validation is not an option, it was better to remove the IDP extension from the CRL. In case OpenVPN would get a CRL that matches the CA but not the IDP, OpenVPN could not do anything to solve this (which IMHO is a minor issue with large consequences).

Sorry, my knowledge of certificate extensions is limited. This is the first time I work with more complex setups in x509. I was only using easyrsa before, which simply brings it down to only basic features of x509.

Thank you very much for your time and help! I could not contribute much to this change, the more I want to thank you for implementing everything!

from django-ca.

mathiasertl avatar mathiasertl commented on June 21, 2024

Hi Kevin,

Sorry, my knowledge of certificate extensions is limited. This is the first time I work with more complex setups in x509. I was only using easyrsa before, which simply brings it down to only basic features of x509.

No worries, that's what the author of such a software is here for. I'm glad I can help.

Actually it is not very complicated. ...

Can you please post the relevant configuration snippets from OpenVPN, client- and server side? Of course, please properly sanitize it and don't post private keys ;-). also are you downloading the client- or server CRL? I assume the former, but just to be sure (you can answer that question by posting the URL path, if you use a default provided view, or together with the view configuration).

Thanks very much for reporting the issue and for using django-ca!

kr, Mat

from django-ca.

mathiasertl avatar mathiasertl commented on June 21, 2024

closing due to lack of feedback. If you have any further issues @kevin-olbrich , please don't hesitate to file a new issue!

from django-ca.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.