Community discussions

MikroTik App
 
gsloop
Member Candidate
Member Candidate
Topic Author
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

OpenVPN CRL [Certificate revocation list]

Mon Aug 20, 2012 12:50 am

I've only seen a single post on CRL's for certificates in OpenVPN. [Or CRL's for any certificates anywhere for that matter]

It appears there's no functional way to use CRL's in RoS.

Is this still the case?

---
If so, the only way to block a OpenVPN user is to change/delete their PPP secrets config, correct?
[We'll allow them to "connect" to the OVPN server and allow any damage they can do there, but block the PPP connect?]

Why the heck isn't a CRL implemented in RoS by now?

TIA
-Greg
 
User avatar
elgo
Member Candidate
Member Candidate
Posts: 151
Joined: Sat Apr 02, 2011 2:34 am
Location: France

Re: OpenVPN CRL [Certificate revocation list]

Mon Aug 20, 2012 3:33 pm

I've only seen a single post on CRL's for certificates in OpenVPN. [Or CRL's for any certificates anywhere for that matter]

It appears there's no functional way to use CRL's in RoS.

Is this still the case?

---
If so, the only way to block a OpenVPN user is to change/delete their PPP secrets config, correct?
[We'll allow them to "connect" to the OVPN server and allow any damage they can do there, but block the PPP connect?]

Why the heck isn't a CRL implemented in RoS by now?

TIA
-Greg
Lots of posts complaining about "openVPN" feature of rOS being so partial it's barely openVPN at all.
CRL is like UDP, LZO and every other modern openVPN features: "won't implement" is the official answer.
 
gsloop
Member Candidate
Member Candidate
Topic Author
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: OpenVPN CRL [Certificate revocation list]

Mon Aug 20, 2012 7:10 pm

I know all about OpenVPN and MikroTik's **HORRIBLE** implementation record.

However, I've not seen any posts saying that Mikrotik has said they will never impliment CRL's.

Can you point me to that?

[I'm not saying they will, just that I'd like to see for myself where they say they won't.]

-Greg
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: OpenVPN CRL [Certificate revocation list]

Wed Aug 22, 2012 11:45 am

We are working on CRL, it will be in version 6.
 
User avatar
elgo
Member Candidate
Member Candidate
Posts: 151
Joined: Sat Apr 02, 2011 2:34 am
Location: France

Re: OpenVPN CRL [Certificate revocation list]

Fri Aug 24, 2012 1:04 pm

Ok, good to know.
I still don't get a freakin bit of MT logic on their OpenVPN topic.
 
emuell
just joined
Posts: 22
Joined: Fri Dec 07, 2012 5:01 pm

Re: OpenVPN CRL [Certificate revocation list]

Wed Jun 05, 2013 1:32 pm

i have upgraded to ROS 6 und built my own self signed CA.
when i revoke my client certificate the openvpn connection is still working.

it looks like that the openvpn-server does not check the built-in CRL?

can anybody confirm that ?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: OpenVPN CRL [Certificate revocation list]

Wed Jun 05, 2013 1:35 pm

Currently only Ipsec and SSTP respects CRLs. This was also mentioned in changelog and wiki.
 
emuell
just joined
Posts: 22
Joined: Fri Dec 07, 2012 5:01 pm

Re: OpenVPN CRL [Certificate revocation list]

Wed Jun 05, 2013 2:00 pm

thanks for the answer - i've already checked the system/certificate wiki-page but didn't found anything.
are there any plans to support CRL in openvpn in near future?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: OpenVPN CRL [Certificate revocation list]

Wed Jun 05, 2013 2:10 pm

http://wiki.mikrotik.com/wiki/Manual:Wh ... rtificates

Not at the moment, but we might add it in the future.
 
Sivics
just joined
Posts: 4
Joined: Thu May 30, 2013 5:48 pm

Re: OpenVPN CRL [Certificate revocation list]

Mon Oct 10, 2016 3:46 pm

http://wiki.mikrotik.com/wiki/Manual:Wh ... rtificates

Not at the moment, but we might add it in the future.
Any news?
 
tmiklas
just joined
Posts: 9
Joined: Mon Apr 02, 2007 12:06 pm

Re: OpenVPN CRL [Certificate revocation list]

Tue Oct 18, 2016 10:33 pm

Bumping up...

I'll put it this way - so far Mikrotik wins with most vendors on functionality, flexibility and price but this kind of gaps makes it non-starter for really serious deployments where security is not an optional bolt-on but absolute baseline requirement. I'd like to see some implementation timeline if possible.
 
mortar8
just joined
Posts: 21
Joined: Mon Sep 16, 2013 1:41 pm

Re: OpenVPN CRL [Certificate revocation list]

Thu Nov 03, 2016 2:28 pm

I can confirm it working on 6.36.2 but not exactly straight. There is a bug in GUI that causes ca crl host to be empty after signing.
When You sign a certificate there is a field for CRL host and it does nothing. Signing from terminal works fine and CRL host is set.
Then the revocation of certificates is respected and revoked certs are denied connection.
Phew at last. Just correct this bug please :)
 
shkiperon
just joined
Posts: 2
Joined: Sun Feb 11, 2018 5:37 pm

Re: OpenVPN CRL [Certificate revocation list]

Sun Feb 11, 2018 6:17 pm

Hi.
I have a little different question - in current ROS (6.41.2) if I revoke certificate of client (another Routerboard device) the connection is not interrupted. To break the connection I needed to disable / enable OVPN Server Binding.
Of course, I can revoke the certificate through a script to do everything with one command, but is it really the user who should be following such things?

Who is online

Users browsing this forum: Ahrefs [Bot], Batterio, DanMos79, intania and 94 guests