Alon, I've tested the client functionality and the basic functionality works great (not testing against expired or revoked certificates).
I then created a test for expired certs (incorrectly) by specifying an expired _client_ certificate. Curiously, OpenVPN did not complain about the expired client certificate, but rather proceeded to attempt a connection with it (which subsequently failed to establish TLS I suspect because the server didn't have the corresponding public cert). So I think I may have discovered a limitation of the pre-existing cryptoapicert function. So to recap: Cryptoapicert client mode: fails to verify expired cert. Cryptoapica client mode: works! Cryptoapica client mode expired/revoked cert: untested Cryptoapica server mode: untested I'm in a conference this week, but will continue to test as time permits. Jason -----Original Message----- From: Alon Bar-Lev [mailto:alon.bar...@gmail.com] Sent: Tuesday, 07 October, 2008 16:56 To: Jason R. Coombs Cc: Faidon Liambotis; openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] [PATCH v4] Use CryptoAPI CA store (was Re: [PATCH v3] Use CryptoAPI CA store) Binaries are at [1]. It is not enough to test it on client, we need to verify that the validation works correctly on both ends, as capi has different policy for servers and clients. Alon. [1] http://alon.barlev.googlepages.com/openvpn-mscapi-test-1.tar.bz2 On 10/7/08, Jason R. Coombs <jar...@jaraco.com> wrote: > Faidon, > > If you send me a binary build for Windows 32-bit, I'll test it against > expired > and revoked certs. I presume I don't need a server configured for this > test; > it should fail client side before attempting to connect? > > > Jason > > > -----Original Message----- > From: Faidon Liambotis [mailto:parav...@debian.org] > Sent: Tuesday, 07 October, 2008 15:53 > To: Alon Bar-Lev > Cc: Jason R. Coombs; openvpn-devel@lists.sourceforge.net > Subject: Re: [Openvpn-devel] [PATCH v4] Use CryptoAPI CA store (was Re: > [PATCH > v3] Use CryptoAPI CA store) > > > Hi, > > Alon Bar-Lev wrote: > > On 9/27/08, Alon Bar-Lev <alon.bar...@gmail.com> wrote: > >> I prefer to receive patches... > >> Anyway, this is not exactly what I meant. > >> Please review latest head. > >> I did not test this, but it should be correct now as far as the > >> changes are concerned. > >> It may not work as the validation process was never tested. > > > > Any news? > Thanks for reviving this. I built it and tried it and seems to work. > I didn't test with revoked or expired certificates, however. > > As for warnings there's just a trivial one: > cryptoapi.c:429: warning: passing arg 2 of `d2i_X509' from > incompatible pointer type > > Regards, > Faidon > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > >
smime.p7s
Description: S/MIME cryptographic signature