From a3982181e284f8c5c8fc15bbbd670da4d91a2ba9 Mon Sep 17 00:00:00 2001 From: Mathieu GIANNECCHINI Date: Tue, 2 Mar 2010 00:26:57 +0100 Subject: enhance tls-verify possibility It should be nice to enhance tls-verify check possibilities against peer cert during a pending TLS connection like : - OCSP verification - check any X509 extensions of the peer certificate - delta CRL verification - ... This patch add a new "tls-export-cert" option which allow to get peer certificate in PEM format and to store it in an openvpn temporary file. Peer certificate is stored before tls-script execution and deleted after. The name of the related temporary file is available under tls-verify script by an environment variable "peer_cert". The patch was made from OpenVPN svn Beta21 branches. Here is a very simple exemple of Tls-verify script which provide OCSP support to OpenVPN (with tls-export-cert option) without any OpenVPN "core" modification : X509=$2 openssl ocsp \ -issuer /etc/openvpn/ssl.crt/RootCA.pem \ -CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \ -cert $peer_cert \ -url http://your-ocsp-url if [ $? -ne 0 ] then echo "error : OCSP check failed for ${X509}" | logger -t "tls-verify" exit 1 fi This has been discussed here: This patch has been modified by David Sommerseth, by fixing a few issues which came up to during the code review process. The man page has been updated and tmp_file in ssl.c is checked for not being NULL before calling delete_file(). Signed-off-by: David Sommerseth Acked-by: Gert Doering --- options.h | 1 + 1 file changed, 1 insertion(+) (limited to 'options.h') diff --git a/options.h b/options.h index 740e18e..a3114e2 100644 --- a/options.h +++ b/options.h @@ -440,6 +440,7 @@ struct options const char *pkcs12_file; const char *cipher_list; const char *tls_verify; + const char *tls_export_cert; const char *tls_remote; const char *crl_file; -- cgit