Re: [Openvpn-devel] a replacement for --tls-remote and verify-cn

2003-10-27 Thread Teemu Kiviniemi 
Mon, 27-10-2003 at 22:49, James Yonan wrote:

> One thing that would help me to merge it more easily, is if you could recode
> against the current CVS which has advanced since beta12 and includes the

Hi,

I rewrote the patch against the EXP15 branch in CVS. I tested it briefly
and it worked just fine. The patch is available at:
http://iki.fi/teemuki/openvpn/cvs-tlsremote.diff

Teemu



signature.asc
Description: PGP signature

Re: [Openvpn-devel] a replacement for --tls-remote and verify-cn

2003-10-27 Thread James Yonan 
Teemu Kiviniemi  said:

> Hi,
> 
> I ran into problems in using --tls-verify to verify the remote host with
> --chroot enabled. --tls-verify runs the verify script with system()
> command, so it assumes that /bin/sh is available. Usually, in a chroot
> environment, that's not true.
> 
> I implemented a new config option: --tls-remote x509name
> 
> With --tls-remote the remote host is verified by looking at the X509
> name. If the remote X509 name doesn't match the given x509name, the
> remote host is rejected.
> 
> With --tls-remote, it's possible to verify remote host even with a
> completely empty chroot directory. --tls-remote also removes the need
> for an external --tls-verify script in most cases.
> 
> Config example:
> tls-remote /O=exampleorg/CN=name
> 
> I have tested the patch with a TLS tunnel on Debian Woody.
> 
> A patch against OpenVPN 1.5 beta12 is available at:
> http://iki.fi/teemuki/openvpn/1.5_beta12-tlsremote.diff

Thanks, that looks like a useful patch.

One thing that would help me to merge it more easily, is if you could recode
against the current CVS which has advanced since beta12 and includes the
--crl-verify patch which touches the same parts of ssl.c as your patch.

The 1.5 beta series exists in the CVS under branch "EXP15".

James

[Openvpn-devel] a replacement for --tls-remote and verify-cn

2003-10-27 Thread Teemu Kiviniemi 
Hi,

I ran into problems in using --tls-verify to verify the remote host with
--chroot enabled. --tls-verify runs the verify script with system()
command, so it assumes that /bin/sh is available. Usually, in a chroot
environment, that's not true.

I implemented a new config option: --tls-remote x509name

With --tls-remote the remote host is verified by looking at the X509
name. If the remote X509 name doesn't match the given x509name, the
remote host is rejected.

With --tls-remote, it's possible to verify remote host even with a
completely empty chroot directory. --tls-remote also removes the need
for an external --tls-verify script in most cases.

Config example:
tls-remote /O=exampleorg/CN=name

I have tested the patch with a TLS tunnel on Debian Woody.

A patch against OpenVPN 1.5 beta12 is available at:
http://iki.fi/teemuki/openvpn/1.5_beta12-tlsremote.diff

Feel free to use it. :)

Teemu



signature.asc
Description: PGP signature