Just a heads-up, maybe we have some openvpn users here? In leap 15.1 we ship openvpn 2.4.5 - this version has a stricter set of checks on the server setup. I don't think there is a way around rebuilding the pki infrastructure - generate a new CA with sha256 signature, then re-issue all client certificates. There is another issue with OpenVPN 2.4. The OpenVPN client refuses to connect if the specified CRL "crl-verify <crl-filename>" is outdated. The CRL updates can be archived on server computers e.g. with cron jobs or Systemd timers which trigger an CRL update. But it is especially a
Am 15.05.19 um 10:16 schrieb Per Jessen: problem on computers, which are used rarely or which do not have a central management. OCSP can be used as an alternative to CRLs. But OCSP requires a complex setup on OpenVPN servers and clients and there are no production ready open source OCSP servers available (the OpenSSL OCSP responder is meant for demonstration purposes). For Windows OpenVPN clients there are no scripts available for CRL updates or OCSP checks. The Easyrsa team solves the issue with outdated CRLs and OpenVPN 2.4 with a standard CRL expiration time of 10 years. (This works, but makes CRLs less useful.) To summarize, I would recommend to document the OpenVPN 2.4 changes which may break existing setups in the openSUSE 15.1 release notes. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org