Alon,
I've tested the client functionality and the basic functionality works
great
(not testing against expired or revoked certificates).
I then created a test for expired certs (incorrectly) by specifying an
expired _client_ certificate. Curiously, OpenVPN did not complain about the
expired client certificate, but rather proceeded to attempt a connection with
it (which subsequently failed to establish TLS I suspect because the server
didn't have the corresponding public cert). So I think I may have discovered
a limitation of the pre-existing cryptoapicert function.
So to recap:
Cryptoapicert client mode: fails to verify expired cert.
Cryptoapica client mode: works!
Cryptoapica client mode expired/revoked cert: untested
Cryptoapica server mode: untested
I'm in a conference this week, but will continue to test as time
permits.
Jason
-----Original Message-----
From: Alon Bar-Lev [mailto:[email protected]]
Sent: Tuesday, 07 October, 2008 16:56
To: Jason R. Coombs
Cc: Faidon Liambotis; [email protected]
Subject: Re: [Openvpn-devel] [PATCH v4] Use CryptoAPI CA store (was Re: [PATCH
v3] Use CryptoAPI CA store)
Binaries are at [1].
It is not enough to test it on client, we need to verify that the
validation works correctly on both ends, as capi has different policy
for servers and clients.
Alon.
[1] http://alon.barlev.googlepages.com/openvpn-mscapi-test-1.tar.bz2
On 10/7/08, Jason R. Coombs <[email protected]> wrote:
> Faidon,
>
> If you send me a binary build for Windows 32-bit, I'll test it against
> expired
> and revoked certs. I presume I don't need a server configured for this
> test;
> it should fail client side before attempting to connect?
>
>
> Jason
>
>
> -----Original Message-----
> From: Faidon Liambotis [mailto:[email protected]]
> Sent: Tuesday, 07 October, 2008 15:53
> To: Alon Bar-Lev
> Cc: Jason R. Coombs; [email protected]
> Subject: Re: [Openvpn-devel] [PATCH v4] Use CryptoAPI CA store (was Re:
> [PATCH
> v3] Use CryptoAPI CA store)
>
>
> Hi,
>
> Alon Bar-Lev wrote:
> > On 9/27/08, Alon Bar-Lev <[email protected]> wrote:
> >> I prefer to receive patches...
> >> Anyway, this is not exactly what I meant.
> >> Please review latest head.
> >> I did not test this, but it should be correct now as far as the
> >> changes are concerned.
> >> It may not work as the validation process was never tested.
> >
> > Any news?
> Thanks for reviving this. I built it and tried it and seems to work.
> I didn't test with revoked or expired certificates, however.
>
> As for warnings there's just a trivial one:
> cryptoapi.c:429: warning: passing arg 2 of `d2i_X509' from
> incompatible pointer type
>
> Regards,
> Faidon
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Openvpn-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
>
>
smime.p7s
Description: S/MIME cryptographic signature
