diff options
| author | Mathieu GIANNECCHINI <mat.giann@free.fr> | 2010-03-02 00:26:57 +0100 |
|---|---|---|
| committer | David Sommerseth <dazo@users.sourceforge.net> | 2010-10-21 21:11:46 +0200 |
| commit | 39238d1b173d8b7f08e061dd51e30605ce722e92 (patch) | |
| tree | b9f102e8328ff2af22739cae2f630d3cc2cbd818 /openvpn.8 | |
| parent | 0c1f7ad5e84e7a79bd3f982cba5dad3cc12dbebb (diff) | |
| download | openvpn-39238d1b173d8b7f08e061dd51e30605ce722e92.tar.gz openvpn-39238d1b173d8b7f08e061dd51e30605ce722e92.tar.xz openvpn-39238d1b173d8b7f08e061dd51e30605ce722e92.zip | |
enhance tls-verify possibility
It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...
This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".
The patch was made from OpenVPN svn Beta21 branches.
Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :
X509=$2
openssl ocsp \
-issuer /etc/openvpn/ssl.crt/RootCA.pem \
-CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
-cert $peer_cert \
-url http://your-ocsp-url
if [ $? -ne 0 ]
then
echo "error : OCSP check failed for ${X509}" | logger -t
"tls-verify"
exit 1
fi
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.devel/2492>
<http://thread.gmane.org/gmane.network.openvpn.devel/3150>
<http://thread.gmane.org/gmane.network.openvpn.devel/3217>
This patch has been modified by David Sommerseth, by fixing a few issues
which came up to during the code review process. The man page has been
updated and tmp_file in ssl.c is checked for not being NULL before calling
delete_file().
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'openvpn.8')
| -rw-r--r-- | openvpn.8 | 13 |
1 files changed, 13 insertions, 0 deletions
@@ -4288,6 +4288,14 @@ to to build a command line which will be passed to the script. .\"********************************************************* .TP +.B \-\-tls-export-cert directory +Store the certificates the clients uses upon connection to this +directory. This will be done before --tls-verify is called. The +certificates will use a temporary name and will be deleted when +the tls-verify script returns. The file name used for the certificate +is available via the peer_cert environment variable. +.\"********************************************************* +.TP .B \-\-tls-remote name Accept connections only from a host with X509 name or common name equal to @@ -5286,6 +5294,11 @@ than their names as denoted on the command line or configuration file. .\"********************************************************* .TP +.B peer_cert +Temporary file name containing the client certificate upon +connection. Useful in conjunction with --tls-verify +.\"********************************************************* +.TP .B script_context Set to "init" or "restart" prior to up/down script execution. For more information, see |