> 8 мая 2025 г., в 14:46, Arne Schwabe <arne rfc2549 ! org> написал(а):
>
> Am 21.04.25 um 23:44 schrieb Klemens Nanni:
>> This allows for accepting clients based on their certificate authority:
>> x509-username-field issuer CN
>> verify-x509-name ...CA=ExampleCA_ match-prefix
>>
>> `tls-verify` or `plugin` can do the equivalent, but require additional code
>> execution and always incur overhead or may not be an option when running with
>> reduced privileges, e.g. `chroot`
>
> I am trying to understand the use case for this patch. Issuer is only
> something you can trust and verify if you verified the fingerprint of
> the certificate or that the certificate is issued by a given CA. But if
> it is already verified to belong to a trusted CA, then you don't need
> issuer CN anymore.
—ca contains the root CA and the intermediate CA issuing client certificates
for use as VPN use.
Under the same root CA, another intermediate CA exists not intended for VPN.
The problem is OpenVPN successfully validates both certificate chains whilst
only one intermediate CA should allow peers to connect.
AFAIU, this is expected OpenSSL behaviour, at least when OpenVPN peers
send not only their own, but also their issuer CA’s certificate via —cert.
Having said that, —remote-cert-ku might be a viable alternative, but that
requires the X509v3 extension and respective key usage bits set up front;
(I have not tried that approach.)
Thus reusing the customisable username mechanism allows for limiting to
certain CAs, i.e. rejecting undesired peers, early during handshake.
> I would also be good to try to add a unit test. Since is is probably a
> quite exotic use case, this will not be tested regularly and as such is
> in danger to be become broken and since this an auth related option that
> might then be an authentication bypass. We really want to avoid that.
If the patch still makes sense to you and seems worth pursuing, I’ll happily
work on tests next.
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
