diff options
| author | Mathieu GIANNECCHINI <mat.giann@free.fr> | 2010-03-02 00:26:57 +0100 |
|---|---|---|
| committer | David Sommerseth <dazo@users.sourceforge.net> | 2010-03-02 21:24:07 +0100 |
| commit | a3982181e284f8c5c8fc15bbbd670da4d91a2ba9 (patch) | |
| tree | 858cb15c8d51e8c9784b73516616fdc5b7329640 /openvpn.8 | |
| parent | Allow 'lport 0' setup for random port binding (diff) | |
| download | openvpn-a3982181e284f8c5c8fc15bbbd670da4d91a2ba9.tar.xz | |
enhance tls-verify possibility
It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...
This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".
The patch was made from OpenVPN svn Beta21 branches.
Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :
X509=$2
openssl ocsp \
-issuer /etc/openvpn/ssl.crt/RootCA.pem \
-CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
-cert $peer_cert \
-url http://your-ocsp-url
if [ $? -ne 0 ]
then
echo "error : OCSP check failed for ${X509}" | logger -t
"tls-verify"
exit 1
fi
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.devel/2492>
<http://thread.gmane.org/gmane.network.openvpn.devel/3150>
<http://thread.gmane.org/gmane.network.openvpn.devel/3217>
This patch has been modified by David Sommerseth, by fixing a few issues
which came up to during the code review process. The man page has been
updated and tmp_file in ssl.c is checked for not being NULL before calling
delete_file().
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to '')
| -rw-r--r-- | openvpn.8 | 13 |
1 files changed, 13 insertions, 0 deletions
@@ -4258,6 +4258,14 @@ to to build a command line which will be passed to the script. .\"********************************************************* .TP +.B --tls-export-cert directory +Store the certificates the clients uses upon connection to this +directory. This will be done before --tls-verify is called. The +certificates will use a temporary name and will be deleted when +the tls-verify script returns. The file name used for the certificate +is available via the peer_cert environment variable. +.\"********************************************************* +.TP .B --tls-remote name Accept connections only from a host with X509 name or common name equal to @@ -5242,6 +5250,11 @@ than their names as denoted on the command line or configuration file. .\"********************************************************* .TP +.B peer_cert +Temporary file name containing the client certificate upon +connection. Useful in conjunction with --tls-verify +.\"********************************************************* +.TP .B script_context Set to "init" or "restart" prior to up/down script execution. For more information, see |