Hello,
Le 11.05.2005 23:25, James Yonan a écrit :
True, but I think you're somewhat stretching the connotation of "security
bug" here.
Yes. Sorry if the "security bug" subject hurt you.
No matter how much OpenVPN tries to
authenticate the CRL, an attacker with root privileges could easily
install a stealth backdoor on the server which would completely bypass the
VPN.
Ok, another example :
- a root CA
- two intermediate CAs
On the server we have 3 CA certificates and 3 CRL. The CRLs are updated
by a cron job. If an attacker managed to modify the CRL of one
intermediate CA, he can simulate a false CRL with the same DN as the
root CA or the other intermediate CA... The cron job on the server will
normally and automatically fetch the false CRL... It's not a very extrem
situation : only one intermediate CA has been attacked.
Of course, as OpenVPN only handle one CRL with --crl-verify (and
consequently only one CA), it's not a problem for now, I'm agree with
you. But if openvpn has to manage several CA (like in a real PKI), the
CRL management will have to be finer. Fortunately, OpenSSL 0.9.7
integrate all the tools for that.
Again, thanks for OpenVPN, and do not misundestood me : OpenVPN is a
very very nice piece of code anyway :-)
--
Thomas NOEL <thomas.n...@auf.org> http://www.auf.org/
Coordinateur des infrastructures techniques
Agence universitaire de la Francophonie (AUF)
Services centraux Paris - 4 place de la Sorbonne - 75005 Paris
Tél: +33 (0)1 44 41 18 18, poste 1822 Tlc: +33(0)1 44 41 18 19
> Merci d'éviter de m'envoyer des documents Word ou PowerPoint
> cf http://www.gnu.org/philosophy/no-word-attachments.fr.html
