revoking an certificate should NOT delete the R line from the pki/index.txt

[emacsimize]

Hi

I was testing the revocation function the script and figured out that if you revoke more than one certificate the other won't be in the included in the generated crl.pem

Steps to reproduce

• create a certificate
• revoke it with the openvpn-install script
• check the crl.pem with openssl crl -in -text You will see one revoked certificate
• create a new certificate
• revoke this newly created
• check crl.pem again - The newly generated cert will be revoked. BUT ONLY THIS one. the old one would now be able to connect.

Reason for this is that openvpn-install.sh at

openvpn-install/openvpn-install.sh

Line 1190 in 506c86f

sed -i -e '/^[R]/d' /etc/openvpn/easy-rsa/pki/index.txt

is deleting the R line from the index.txt . This is in my opinion very bad and results in a massive security issue. Since all previously revoked certificate would now be allowed to connect again.

second test:
use the script to

• create a certificate
• revoke this certificate
• check crl.pem - it's there
• run manually easy-rsa gen-crl
• check crl.pem - you will see the line "No certificate is revoked"

There is always the case that I'm talking totally bullshit and I'm all wrong but if this isn't the case. Please fix it ASAP.

cheers

• emacsimize

[TinCanTech]

I have tested your theory and you are totally correct.

Deleting the ^R (revoked) lines from index.txt effectively unrevokes certificates.

[coolapso]

I'll take a look at it during weekend and push a fix for that

[emacsimize]

Thanks for noticing

Just for the sake of it , should I create an issue out of this ?

[coolapso]

Just noticed this is not PiVPN ... and i don't think this happens on PiVPN

[coolapso]

still @angristan might want to take a look at this, then make it a issue or not depending on what its his procedure here.

[TinCanTech]

FTR: A Certificate Revocation List is only a List of ^R.* Certificates.

[angristan]

PR welcome to fix this 🙂