[Openvpn-devel] client-cert-not-required == client-cert-do-not-check

2007-01-04 Thread Faidon Liambotis 
Hello again,
While fiddling with the OpenVPN code for the patch -look at my other
mail- I noticed the following:
When a server specifies client-cert-not-required and the client passes a
certificate, the server does not check this certificate for validity,
i.e. no trust verification (signed by the CA, not in a CRL etc.), no
tls-remote/ns-cert-type/tls-verify handling.
Right now there is a conditional that calls
SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER |  
 SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 verify_callback);
when client-cert-not-required is not set and does nothing but warn when
it's set in the options.

I think that the proper thing to do would be to alter the behavior and call
SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, verify_callback);
when the option is passed to OpenVPN and keep the current behavior for
the other case.

Is there a reason not to?
I can think of a reason to do that: allow a server that either accepts a
username/password _or_ a valid certificate -- to allow a migration for
example. This of course would need a clever hack with
auth-user-pass-verify/tls-verify scripts or may be a new environmental
variable TLS_VERIFIED.

Another reason to do it is because it's the obvious thing to do:
-not-required doesn't mean -do-not-check/-ignored, it means "I will not
fail if you don't provide it but I will fail if provide one that I can't
verify", IMHO.

Comments?

Regards,
Faidon

Re: [Openvpn-devel] OpenVPN Status Log

2007-01-04 Thread Tony 
On Fri, 05 Jan 2007 00:38:44 +0300, Alexander Littell  
 wrote:



Thanks for the input, Tony.  I'm sure that solution scales very well. ;-)

I'm puzzled...
Was that an irony or am I missled by English vs Russian language  
differences?


Tony.

Re: [Openvpn-devel] OpenVPN Status Log

2007-01-04 Thread Charles Duffy 

Alexander Littell wrote:
How difficult would it be to program the openvpn-status.log to show 
usernames instead of common names?  Or maybe both.  Any thoughts on how to 
do this?


I could be wrong, but I would guess that most OpenVPN administrators are 
using username/password pairs instead of certificates to authenticate their 
clients.  Well, I do anyway. :)


I'm assuming "openvpn-status.log" is the file created by the status 
directive (different folks can call it different things -- and it has 
two different formats available). I believe that already *will* show 
usernames if you have username-as-common-name specified; is this 
understanding incorrect?


In any event, while I request both usernames and certificates, the 
certificates are more useful in logs (as our certificates specify an 
individual machine as well as the user who owns that machine, whereas 
the usernames specify only the individual who owns the machine but not 
the specific host).


Are you using username-as-common-name? How about duplicate-cn? (It's 
much better to have unique certificates -- but if you're authenticating 
by username and aren't using certificates properly, using 
username-and-common-name and not duplicate-cn should give you more 
management control than using duplicate-cn and leaving off 
username-as-common-name, as in this latter case you can't identify 
individual clients for disconnect commands or such).



I think that this subthread belongs in openvpn-users rather than 
openvpn-devel. I'm sending it to both; please reply only in openvpn-users.

Re: [Openvpn-devel] [PATCH v2] Use CryptoAPI to verify certificates

2007-01-04 Thread Faidon Liambotis 
Hi,
Thank you for your comments.

Alon Bar-Lev wrote:
> On 1/3/07, Faidon Liambotis  wrote:
>> Ok, here's another try, even though I didn't get any comments on the
>> first one :-)
>>
>> This is a totally different approach; the previous one was flawed in at
>> least two aspects:
> 
> This is better.
> But you should use CertVerifyCertificateChainPolicy in order to verify
> chain, you should have two policies, one for server and one for
> client...
I've thought about it but didn't implement it because the only policy I
could think of was the nsCertType checking which is already being done
by OpenSSL if the user requested it.

> I think you can remove the global variable you added to ssl.c and put
> it in the session.
True, I will fix this.

Regards,
Faidon

Re: [Openvpn-devel] OpenVPN Status Log

2007-01-04 Thread Tony 
On Wed, 03 Jan 2007 16:29:20 +0300, Alexander Littell  
 wrote:


I would guess that most OpenVPN administrators are using  
username/password pairs instead of certificates to authenticate their  
clients.  Well, I do anyway.

Not me!
I use hardware-tokens-based (PKCS#11) authentication.

Tony.