diff options
Diffstat (limited to 'sample-scripts')
-rwxr-xr-x | sample-scripts/bridge-start | 2 | ||||
-rwxr-xr-x | sample-scripts/bridge-stop | 2 | ||||
-rwxr-xr-x | sample-scripts/openvpn.init | 8 | ||||
-rwxr-xr-x | sample-scripts/verify-cn | 42 |
4 files changed, 33 insertions, 21 deletions
diff --git a/sample-scripts/bridge-start b/sample-scripts/bridge-start index bfbbdc5..d20a260 100755 --- a/sample-scripts/bridge-start +++ b/sample-scripts/bridge-start @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh ################################# # Set up Ethernet bridge on Linux diff --git a/sample-scripts/bridge-stop b/sample-scripts/bridge-stop index d452893..8192779 100755 --- a/sample-scripts/bridge-stop +++ b/sample-scripts/bridge-stop @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh #################################### # Tear Down Ethernet bridge on Linux diff --git a/sample-scripts/openvpn.init b/sample-scripts/openvpn.init index 6c699cc..821abd5 100755 --- a/sample-scripts/openvpn.init +++ b/sample-scripts/openvpn.init @@ -5,10 +5,10 @@ # # chkconfig: 345 24 76 # -# description: OpenVPN is a robust and highly flexible tunneling application that -# uses all of the encryption, authentication, and certification features -# of the OpenSSL library to securely tunnel IP networks over a single -# UDP port. +# description: OpenVPN is a robust and highly flexible tunneling application \ +# that uses all of the encryption, authentication, and \ +# certification features of the OpenSSL library to securely \ +# tunnel IP networks over a single UDP port. # # Contributed to the OpenVPN project by diff --git a/sample-scripts/verify-cn b/sample-scripts/verify-cn index 5d56d95..f9fea0f 100755 --- a/sample-scripts/verify-cn +++ b/sample-scripts/verify-cn @@ -7,24 +7,28 @@ # # For example in OpenVPN, you could use the directive: # -# tls-verify "./verify-cn Test-Client" +# tls-verify "./verify-cn /etc/openvpn/allowed_clients" # # This would cause the connection to be dropped unless -# the client common name is "Test-Client" +# the client common name is listed on a line in the +# allowed_clients file. -die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3); +die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3); # Parse out arguments: -# cn -- The common name which the client is required to have, -# taken from the argument to the tls-verify directive -# in the OpenVPN config file. -# depth -- The current certificate chain depth. In a typical -# bi-level chain, the root certificate will be at level -# 1 and the client certificate will be at level 0. -# This script will be called separately for each level. -# x509 -- the X509 subject string as extracted by OpenVPN from -# the client's provided certificate. -($cn, $depth, $x509) = @ARGV; +# cnfile -- The file containing the list of common names, one per +# line, which the client is required to have, +# taken from the argument to the tls-verify directive +# in the OpenVPN config file. +# The file can have blank lines and comment lines that begin +# with the # character. +# depth -- The current certificate chain depth. In a typical +# bi-level chain, the root certificate will be at level +# 1 and the client certificate will be at level 0. +# This script will be called separately for each level. +# x509 -- the X509 subject string as extracted by OpenVPN from +# the client's provided certificate. +($cnfile, $depth, $x509) = @ARGV; if ($depth == 0) { # If depth is zero, we know that this is the final @@ -34,11 +38,19 @@ if ($depth == 0) { # the X509 subject string. if ($x509 =~ /\/CN=([^\/]+)/) { + $cn = $1; # Accept the connection if the X509 common name # string matches the passed cn argument. - if ($cn eq $1) { - exit 0; + open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates! + while (defined($line = <FH>)) { + if ($line !~ /^[[:space:]]*(#|$)/o) { + chop($line); + if ($line eq $cn) { + exit 0; + } + } } + close(FH); } # Authentication failed -- Either we could not parse |