Hi,

On 11/09/17 13:22, Илья Шипицин wrote:
Hello,

is someone actually using "tls-verify" in production ?
we tried to implement additional certificate check using tls-verify


while it works in general, in case when it hits "exit 1", it look like a 
timeout from client point of view. it is not any good

do you mean that when a client is denied access (i.e. the tls-verify script exits 1 on the server) that the client sees this as a timeout?  that is "normal" behaviour, as the server does not tell the client *WHY* access is refused - it simply stop responding to a client that does not pass authentication/authorization. The client will not hear from the server, and will time out after a specified interval.  This is actually the most secure way to do things, as a rogue client cannot DoS a server this way.

HTH,

JJK


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to