Re: [Openvpn-devel] better handling of revoked certs

2018-01-01 17:56 GMT+05:00 Antonio Quartulli : > Hi, > > On 01/01/18 20:30, Steffan Karger wrote: > > [CUT] > > > > > Note the '5 seconds' reconnect loop, which is the same as what current > > released openvpn would do in response to an alert. So if we change our > > servers to

Re: [Openvpn-devel] better handling of revoked certs

Hi, On 01-01-18 13:56, Antonio Quartulli wrote: > On 01/01/18 20:30, Steffan Karger wrote: > > [CUT] > >> >> Note the '5 seconds' reconnect loop, which is the same as what current >> released openvpn would do in response to an alert. So if we change our >> servers to send alerts, they will

Re: [Openvpn-devel] better handling of revoked certs

Hi, On 01/01/18 20:30, Steffan Karger wrote: [CUT] > > Note the '5 seconds' reconnect loop, which is the same as what current > released openvpn would do in response to an alert. So if we change our > servers to send alerts, they will experience quite a bit more load from > clients attempting

Re: [Openvpn-devel] better handling of revoked certs

Hi, This mail thread has been sitting marked-for-follow-up in my mailbox for a while. Finally found some time to test and jot down my thoughts, see below. On 06-10-17 13:23, David Sommerseth wrote: > On 06/10/17 11:52, Илья Шипицин wrote: > [...snip...] >> > >> >     In addition, what

Re: [Openvpn-devel] better handling of revoked certs

2017-10-06 16:23 GMT+05:00 David Sommerseth < open...@sf.lists.topphemmelig.net>: > On 06/10/17 11:52, Илья Шипицин wrote: > [...snip...] > > > > > > In addition, what happens when you try to use a revoked > *client* > > > certificate when connecting to an HTTPS server

Re: [Openvpn-devel] better handling of revoked certs

On 06/10/17 11:52, Илья Шипицин wrote: [...snip...] > > > >     In addition, what happens when you try to use a revoked *client* > >     certificate when connecting to an HTTPS server demanding client > >     certificates to be present? > > > > > > 403 > > > >

Re: [Openvpn-devel] better handling of revoked certs

2017-10-06 14:42 GMT+05:00 David Sommerseth < open...@sf.lists.topphemmelig.net>: > On 06/10/17 11:37, Илья Шипицин wrote: > > > > > > 2017-10-06 14:11 GMT+05:00 David Sommerseth > > > >: > > > > On 06/10/17 11:02,

Re: [Openvpn-devel] better handling of revoked certs

On 06/10/17 11:37, Илья Шипицин wrote: > > > 2017-10-06 14:11 GMT+05:00 David Sommerseth > >: > > On 06/10/17 11:02, Илья Шипицин wrote: > > > > > > 2017-10-06 13:43 GMT+05:00 David Sommerseth > >

Re: [Openvpn-devel] better handling of revoked certs

2017-10-06 14:11 GMT+05:00 David Sommerseth < open...@sf.lists.topphemmelig.net>: > On 06/10/17 11:02, Илья Шипицин wrote: > > > > > > 2017-10-06 13:43 GMT+05:00 David Sommerseth > > > >: > > > > On 06/10/17 08:58,

Re: [Openvpn-devel] better handling of revoked certs

On 06/10/17 11:02, Илья Шипицин wrote: > > > 2017-10-06 13:43 GMT+05:00 David Sommerseth > >: > > On 06/10/17 08:58, Илья Шипицин wrote: > > Hello, > > > > I used to run openvpn in login/password mode

Re: [Openvpn-devel] better handling of revoked certs

2017-10-06 13:43 GMT+05:00 David Sommerseth < open...@sf.lists.topphemmelig.net>: > On 06/10/17 08:58, Илья Шипицин wrote: > > Hello, > > > > I used to run openvpn in login/password mode for years. > > now, I'm getting working certificate setup. > > > > > > what I found strange about revoked

Re: [Openvpn-devel] better handling of revoked certs

On 06/10/17 08:58, Илья Шипицин wrote: > Hello, > > I used to run openvpn in login/password mode for years. > now, I'm getting working certificate setup. > > > what I found strange about revoked certificates ... from client point of > view it looks like any other "tls key negotiation timeout" >

[Openvpn-devel] better handling of revoked certs

Hello, I used to run openvpn in login/password mode for years. now, I'm getting working certificate setup. what I found strange about revoked certificates ... from client point of view it looks like any other "tls key negotiation timeout" is there a way to signal user "hey, you key is revoked"