[Openvpn-devel] client-cert-not-required == client-cert-do-not-check
Hello again, While fiddling with the OpenVPN code for the patch -look at my other mail- I noticed the following: When a server specifies client-cert-not-required and the client passes a certificate, the server does not check this certificate for validity, i.e. no trust verification (signed by the CA, not in a CRL etc.), no tls-remote/ns-cert-type/tls-verify handling. Right now there is a conditional that calls SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); when client-cert-not-required is not set and does nothing but warn when it's set in the options. I think that the proper thing to do would be to alter the behavior and call SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, verify_callback); when the option is passed to OpenVPN and keep the current behavior for the other case. Is there a reason not to? I can think of a reason to do that: allow a server that either accepts a username/password _or_ a valid certificate -- to allow a migration for example. This of course would need a clever hack with auth-user-pass-verify/tls-verify scripts or may be a new environmental variable TLS_VERIFIED. Another reason to do it is because it's the obvious thing to do: -not-required doesn't mean -do-not-check/-ignored, it means "I will not fail if you don't provide it but I will fail if provide one that I can't verify", IMHO. Comments? Regards, Faidon
Re: [Openvpn-devel] OpenVPN Status Log
On Fri, 05 Jan 2007 00:38:44 +0300, Alexander Littellwrote: Thanks for the input, Tony. I'm sure that solution scales very well. ;-) I'm puzzled... Was that an irony or am I missled by English vs Russian language differences? Tony.
Re: [Openvpn-devel] OpenVPN Status Log
Alexander Littell wrote: How difficult would it be to program the openvpn-status.log to show usernames instead of common names? Or maybe both. Any thoughts on how to do this? I could be wrong, but I would guess that most OpenVPN administrators are using username/password pairs instead of certificates to authenticate their clients. Well, I do anyway. :) I'm assuming "openvpn-status.log" is the file created by the status directive (different folks can call it different things -- and it has two different formats available). I believe that already *will* show usernames if you have username-as-common-name specified; is this understanding incorrect? In any event, while I request both usernames and certificates, the certificates are more useful in logs (as our certificates specify an individual machine as well as the user who owns that machine, whereas the usernames specify only the individual who owns the machine but not the specific host). Are you using username-as-common-name? How about duplicate-cn? (It's much better to have unique certificates -- but if you're authenticating by username and aren't using certificates properly, using username-and-common-name and not duplicate-cn should give you more management control than using duplicate-cn and leaving off username-as-common-name, as in this latter case you can't identify individual clients for disconnect commands or such). I think that this subthread belongs in openvpn-users rather than openvpn-devel. I'm sending it to both; please reply only in openvpn-users.
Re: [Openvpn-devel] [PATCH v2] Use CryptoAPI to verify certificates
Hi, Thank you for your comments. Alon Bar-Lev wrote: > On 1/3/07, Faidon Liambotiswrote: >> Ok, here's another try, even though I didn't get any comments on the >> first one :-) >> >> This is a totally different approach; the previous one was flawed in at >> least two aspects: > > This is better. > But you should use CertVerifyCertificateChainPolicy in order to verify > chain, you should have two policies, one for server and one for > client... I've thought about it but didn't implement it because the only policy I could think of was the nsCertType checking which is already being done by OpenSSL if the user requested it. > I think you can remove the global variable you added to ssl.c and put > it in the session. True, I will fix this. Regards, Faidon
Re: [Openvpn-devel] OpenVPN Status Log
On Wed, 03 Jan 2007 16:29:20 +0300, Alexander Littellwrote: I would guess that most OpenVPN administrators are using username/password pairs instead of certificates to authenticate their clients. Well, I do anyway. Not me! I use hardware-tokens-based (PKCS#11) authentication. Tony.