Hello again,
While fiddling with the OpenVPN code for the patch -look at my other
mail- I noticed the following:
When a server specifies client-cert-not-required and the client passes a
certificate, the server does not check this certificate for validity,
i.e. no trust verification (signed by the CA, not in a CRL etc.), no
tls-remote/ns-cert-type/tls-verify handling.
Right now there is a conditional that calls
SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER |      
                         SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
                         verify_callback);
when client-cert-not-required is not set and does nothing but warn when
it's set in the options.

I think that the proper thing to do would be to alter the behavior and call
SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, verify_callback);
when the option is passed to OpenVPN and keep the current behavior for
the other case.

Is there a reason not to?
I can think of a reason to do that: allow a server that either accepts a
username/password _or_ a valid certificate -- to allow a migration for
example. This of course would need a clever hack with
auth-user-pass-verify/tls-verify scripts or may be a new environmental
variable TLS_VERIFIED.

Another reason to do it is because it's the obvious thing to do:
-not-required doesn't mean -do-not-check/-ignored, it means "I will not
fail if you don't provide it but I will fail if provide one that I can't
verify", IMHO.

Comments?

Regards,
Faidon

Reply via email to