Re: [Openvpn-devel] a replacement for --tls-remote and verify-cn
Mon, 27-10-2003 at 22:49, James Yonan wrote: > One thing that would help me to merge it more easily, is if you could recode > against the current CVS which has advanced since beta12 and includes the Hi, I rewrote the patch against the EXP15 branch in CVS. I tested it briefly and it worked just fine. The patch is available at: http://iki.fi/teemuki/openvpn/cvs-tlsremote.diff Teemu signature.asc Description: PGP signature
Re: [Openvpn-devel] a replacement for --tls-remote and verify-cn
Teemu Kiviniemisaid: > Hi, > > I ran into problems in using --tls-verify to verify the remote host with > --chroot enabled. --tls-verify runs the verify script with system() > command, so it assumes that /bin/sh is available. Usually, in a chroot > environment, that's not true. > > I implemented a new config option: --tls-remote x509name > > With --tls-remote the remote host is verified by looking at the X509 > name. If the remote X509 name doesn't match the given x509name, the > remote host is rejected. > > With --tls-remote, it's possible to verify remote host even with a > completely empty chroot directory. --tls-remote also removes the need > for an external --tls-verify script in most cases. > > Config example: > tls-remote /O=exampleorg/CN=name > > I have tested the patch with a TLS tunnel on Debian Woody. > > A patch against OpenVPN 1.5 beta12 is available at: > http://iki.fi/teemuki/openvpn/1.5_beta12-tlsremote.diff Thanks, that looks like a useful patch. One thing that would help me to merge it more easily, is if you could recode against the current CVS which has advanced since beta12 and includes the --crl-verify patch which touches the same parts of ssl.c as your patch. The 1.5 beta series exists in the CVS under branch "EXP15". James
[Openvpn-devel] a replacement for --tls-remote and verify-cn
Hi, I ran into problems in using --tls-verify to verify the remote host with --chroot enabled. --tls-verify runs the verify script with system() command, so it assumes that /bin/sh is available. Usually, in a chroot environment, that's not true. I implemented a new config option: --tls-remote x509name With --tls-remote the remote host is verified by looking at the X509 name. If the remote X509 name doesn't match the given x509name, the remote host is rejected. With --tls-remote, it's possible to verify remote host even with a completely empty chroot directory. --tls-remote also removes the need for an external --tls-verify script in most cases. Config example: tls-remote /O=exampleorg/CN=name I have tested the patch with a TLS tunnel on Debian Woody. A patch against OpenVPN 1.5 beta12 is available at: http://iki.fi/teemuki/openvpn/1.5_beta12-tlsremote.diff Feel free to use it. :) Teemu signature.asc Description: PGP signature