Merge pull request #281 from buchdag/crl-expire

kylemanna · web-flow · commit 1b8374f8181b · 2017-06-17T09:15:27.000-07:00
Defaults easy_rsa CRL next update to 3650 days
diff --git a/Dockerfile b/Dockerfile
@@ -17,6 +17,9 @@ ENV EASYRSA /usr/share/easy-rsa
 ENV EASYRSA_PKI $OPENVPN/pki
 ENV EASYRSA_VARS_FILE $OPENVPN/vars
 
+# Prevents refused client connection because of an expired CRL
+ENV EASYRSA_CRL_DAYS 3650
+
 VOLUME ["/etc/openvpn"]
 
 # Internally uses port 1194/udp, remap using `docker run -p 443:1194/tcp`
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
@@ -17,6 +17,9 @@ ENV EASYRSA /usr/share/easy-rsa
 ENV EASYRSA_PKI $OPENVPN/pki
 ENV EASYRSA_VARS_FILE $OPENVPN/vars
 
+# Prevents refused client connection because of an expired CRL
+ENV EASYRSA_CRL_DAYS 3650
+
 VOLUME ["/etc/openvpn"]
 
 # Internally uses port 1194/udp, remap using `docker run -p 443:1194/tcp`
diff --git a/test/tests/revocation/run.sh b/test/tests/revocation/run.sh
@@ -25,6 +25,20 @@ sudo iptables -N DOCKER || echo 'Firewall already configured'
 sudo iptables -I FORWARD 1 -j DOCKER
 docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN --privileged -p 1194:1194/udp --name $NAME $IMG
 
+
+#
+# Test that easy_rsa generate CRLs with 'next publish' set to 3650 days.
+#
+crl_next_update="$(docker exec $NAME openssl crl -nextupdate -noout -in /etc/openvpn/crl.pem | cut -d'=' -f2 | tr -d 'GMT')"
+crl_next_update="$(date -u -d "$crl_next_update" "+%s")"
+now="$(docker exec $NAME date "+%s")"
+crl_remain="$(( $crl_next_update - $now ))"
+crl_remain="$(( $crl_remain / 86400 ))"
+if (( $crl_remain < 3649 )); then
+    echo "easy_rsa CRL next publish set to less than 3650 days." >&2
+    exit 2
+fi
+
 #
 # Generate a first client certificate and configuration using $CLIENT1 as CN then revoke it.
 #
