New binaries at [1], it should also print the validation status. [1] http://alon.barlev.googlepages.com/openvpn-mscapi-test-2.tar.bz2
On 10/9/08, Alon Bar-Lev <alon.bar...@gmail.com> wrote: > Please note that the other side should detect the expiration. > Hence, if you revoke the client certificate the server should report > this and vice versa. > Please also make sure that both sides using the same functionality. > > > On 10/9/08, Jason R. Coombs <jar...@jaraco.com> wrote: > > Alon, > > I've tested the client functionality and the basic functionality > works great > > (not testing against expired or revoked certificates). > > > > I then created a test for expired certs (incorrectly) by > specifying an > > expired _client_ certificate. Curiously, OpenVPN did not complain about > the > > expired client certificate, but rather proceeded to attempt a connection > with > > it (which subsequently failed to establish TLS I suspect because the > server > > didn't have the corresponding public cert). So I think I may have > discovered > > a limitation of the pre-existing cryptoapicert function. > > > > So to recap: > > > > Cryptoapicert client mode: fails to verify expired cert. > > Cryptoapica client mode: works! > > Cryptoapica client mode expired/revoked cert: untested > > Cryptoapica server mode: untested > > > > I'm in a conference this week, but will continue to test as time > permits. > > > > > > Jason > > > > -----Original Message----- > > From: Alon Bar-Lev [mailto:alon.bar...@gmail.com] > > > > Sent: Tuesday, 07 October, 2008 16:56 > > To: Jason R. Coombs > > > > Cc: Faidon Liambotis; openvpn-devel@lists.sourceforge.net > > Subject: Re: [Openvpn-devel] [PATCH v4] Use CryptoAPI CA store (was Re: > [PATCH > > v3] Use CryptoAPI CA store) > > > > Binaries are at [1]. > > > > It is not enough to test it on client, we need to verify that the > > validation works correctly on both ends, as capi has different policy > > for servers and clients. > > > > Alon. > > > > [1] http://alon.barlev.googlepages.com/openvpn-mscapi-test-1.tar.bz2 > > > > On 10/7/08, Jason R. Coombs <jar...@jaraco.com> wrote: > > > Faidon, > > > > > > If you send me a binary build for Windows 32-bit, I'll test it against > > > expired > > > and revoked certs. I presume I don't need a server configured for this > > > test; > > > it should fail client side before attempting to connect? > > > > > > > > > Jason > > > > > > > > > -----Original Message----- > > > From: Faidon Liambotis [mailto:parav...@debian.org] > > > Sent: Tuesday, 07 October, 2008 15:53 > > > To: Alon Bar-Lev > > > Cc: Jason R. Coombs; openvpn-devel@lists.sourceforge.net > > > Subject: Re: [Openvpn-devel] [PATCH v4] Use CryptoAPI CA store (was Re: > > > [PATCH > > > v3] Use CryptoAPI CA store) > > > > > > > > > Hi, > > > > > > Alon Bar-Lev wrote: > > > > On 9/27/08, Alon Bar-Lev <alon.bar...@gmail.com> wrote: > > > >> I prefer to receive patches... > > > >> Anyway, this is not exactly what I meant. > > > >> Please review latest head. > > > >> I did not test this, but it should be correct now as far as the > > > >> changes are concerned. > > > >> It may not work as the validation process was never tested. > > > > > > > > Any news? > > > Thanks for reviving this. I built it and tried it and seems to work. > > > I didn't test with revoked or expired certificates, however. > > > > > > As for warnings there's just a trivial one: > > > cryptoapi.c:429: warning: passing arg 2 of `d2i_X509' from > > > incompatible pointer type > > > > > > Regards, > > > Faidon > > > > > > > ------------------------------------------------------------------------- > > > This SF.Net email is sponsored by the Moblin Your Move Developer's > > > challenge > > > Build the coolest Linux based applications with Moblin SDK & win great > > > prizes > > > Grand prize is a trip for two to an Open Source event anywhere in the > world > > > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > > _______________________________________________ > > > Openvpn-devel mailing list > > > Openvpn-devel@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > > > > > > > > > > > > >
