From e30ee8eecfc7352002fc99ef0c1b959942ee8888 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Sat, 17 Jun 2017 12:59:48 +0200 Subject: [PATCH 1/2] Add CRL next update test --- test/tests/revocation/run.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/test/tests/revocation/run.sh b/test/tests/revocation/run.sh index 290b69b..6130aa5 100755 --- a/test/tests/revocation/run.sh +++ b/test/tests/revocation/run.sh @@ -25,6 +25,20 @@ sudo iptables -N DOCKER || echo 'Firewall already configured' sudo iptables -I FORWARD 1 -j DOCKER docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN --privileged -p 1194:1194/udp --name $NAME $IMG + +# +# Test that easy_rsa generate CRLs with 'next publish' set to 3650 days. +# +crl_next_update="$(docker exec $NAME openssl crl -nextupdate -noout -in /etc/openvpn/crl.pem | cut -d'=' -f2 | tr -d 'GMT')" +crl_next_update="$(date -u -d "$crl_next_update" "+%s")" +now="$(docker exec $NAME date "+%s")" +crl_remain="$(( $crl_next_update - $now ))" +crl_remain="$(( $crl_remain / 86400 ))" +if (( $crl_remain < 3649 )); then + echo "easy_rsa CRL next publish set to less than 3650 days." >&2 + exit 2 +fi + # # Generate a first client certificate and configuration using $CLIENT1 as CN then revoke it. # From 8d7bc7e2c526ef9d10328b1bf9cd11da9d60dfdf Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Sat, 17 Jun 2017 13:01:24 +0200 Subject: [PATCH 2/2] Set CRL next update to 3650 days --- Dockerfile | 3 +++ Dockerfile.aarch64 | 3 +++ 2 files changed, 6 insertions(+) diff --git a/Dockerfile b/Dockerfile index 3a751b3..1a07bee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,9 @@ ENV EASYRSA /usr/share/easy-rsa ENV EASYRSA_PKI $OPENVPN/pki ENV EASYRSA_VARS_FILE $OPENVPN/vars +# Prevents refused client connection because of an expired CRL +ENV EASYRSA_CRL_DAYS 3650 + VOLUME ["/etc/openvpn"] # Internally uses port 1194/udp, remap using `docker run -p 443:1194/tcp` diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 39ae41d..6c506a7 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -17,6 +17,9 @@ ENV EASYRSA /usr/share/easy-rsa ENV EASYRSA_PKI $OPENVPN/pki ENV EASYRSA_VARS_FILE $OPENVPN/vars +# Prevents refused client connection because of an expired CRL +ENV EASYRSA_CRL_DAYS 3650 + VOLUME ["/etc/openvpn"] # Internally uses port 1194/udp, remap using `docker run -p 443:1194/tcp`