New binaries at [1], it should also print the validation status.

[1] http://alon.barlev.googlepages.com/openvpn-mscapi-test-2.tar.bz2

On 10/9/08, Alon Bar-Lev <alon.bar...@gmail.com> wrote:
> Please note that the other side should detect the expiration.
>  Hence, if you revoke the client certificate the server should report
>  this and vice versa.
>  Please also make sure that both sides using the same functionality.
>
>
>  On 10/9/08, Jason R. Coombs <jar...@jaraco.com> wrote:
>  > Alon,
>  >         I've tested the client functionality and the basic functionality 
> works great
>  >  (not testing against expired or revoked certificates).
>  >
>  >         I then created a test for expired certs (incorrectly) by 
> specifying an
>  >  expired _client_ certificate.  Curiously, OpenVPN did not complain about 
> the
>  >  expired client certificate, but rather proceeded to attempt a connection 
> with
>  >  it (which subsequently failed to establish TLS I suspect because the 
> server
>  >  didn't have the corresponding public cert).  So I think I may have 
> discovered
>  >  a limitation of the pre-existing cryptoapicert function.
>  >
>  >         So to recap:
>  >
>  >         Cryptoapicert client mode: fails to verify expired cert.
>  >         Cryptoapica client mode: works!
>  >         Cryptoapica client mode expired/revoked cert: untested
>  >         Cryptoapica server mode: untested
>  >
>  >         I'm in a conference this week, but will continue to test as time 
> permits.
>  >
>  >
>  >  Jason
>  >
>  >  -----Original Message-----
>  >  From: Alon Bar-Lev [mailto:alon.bar...@gmail.com]
>  >
>  > Sent: Tuesday, 07 October, 2008 16:56
>  >  To: Jason R. Coombs
>  >
>  > Cc: Faidon Liambotis; openvpn-devel@lists.sourceforge.net
>  >  Subject: Re: [Openvpn-devel] [PATCH v4] Use CryptoAPI CA store (was Re: 
> [PATCH
>  >  v3] Use CryptoAPI CA store)
>  >
>  >  Binaries are at [1].
>  >
>  >  It is not enough to test it on client, we need to verify that the
>  >  validation works correctly on both ends, as capi has different policy
>  >  for servers and clients.
>  >
>  >  Alon.
>  >
>  >  [1] http://alon.barlev.googlepages.com/openvpn-mscapi-test-1.tar.bz2
>  >
>  >  On 10/7/08, Jason R. Coombs <jar...@jaraco.com> wrote:
>  >  > Faidon,
>  >  >
>  >  >  If you send me a binary build for Windows 32-bit, I'll test it against
>  >  > expired
>  >  >  and revoked certs.  I presume I don't need a server configured for this
>  >  > test;
>  >  >  it should fail client side before attempting to connect?
>  >  >
>  >  >
>  >  >  Jason
>  >  >
>  >  >
>  >  >  -----Original Message-----
>  >  >  From: Faidon Liambotis [mailto:parav...@debian.org]
>  >  >  Sent: Tuesday, 07 October, 2008 15:53
>  >  >  To: Alon Bar-Lev
>  >  >  Cc: Jason R. Coombs; openvpn-devel@lists.sourceforge.net
>  >  >  Subject: Re: [Openvpn-devel] [PATCH v4] Use CryptoAPI CA store (was Re:
>  >  > [PATCH
>  >  >  v3] Use CryptoAPI CA store)
>  >  >
>  >  >
>  >  > Hi,
>  >  >
>  >  >  Alon Bar-Lev wrote:
>  >  >  > On 9/27/08, Alon Bar-Lev <alon.bar...@gmail.com> wrote:
>  >  >  >>  I prefer to receive patches...
>  >  >  >>  Anyway, this is not exactly what I meant.
>  >  >  >>  Please review latest head.
>  >  >  >>  I did not test this, but it should be correct now as far as the
>  >  >  >>  changes are concerned.
>  >  >  >>  It may not work as the validation process was never tested.
>  >  >  >
>  >  >  > Any news?
>  >  >  Thanks for reviving this. I built it and tried it and seems to work.
>  >  >  I didn't test with revoked or expired certificates, however.
>  >  >
>  >  >  As for warnings there's just a trivial one:
>  >  >         cryptoapi.c:429: warning: passing arg 2 of `d2i_X509' from
>  >  >                          incompatible pointer type
>  >  >
>  >  >  Regards,
>  >  >  Faidon
>  >  >
>  >  > 
> -------------------------------------------------------------------------
>  >  >  This SF.Net email is sponsored by the Moblin Your Move Developer's
>  >  > challenge
>  >  >  Build the coolest Linux based applications with Moblin SDK & win great
>  >  > prizes
>  >  >  Grand prize is a trip for two to an Open Source event anywhere in the 
> world
>  >  >  http://moblin-contest.org/redirect.php?banner_id=100&url=/
>  >  > _______________________________________________
>  >  >  Openvpn-devel mailing list
>  >  >  Openvpn-devel@lists.sourceforge.net
>  >  >  https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>  >  >
>  >  >
>  >  >
>  >
>  >
>

Reply via email to