Hello, Alon Bar-Lev a écrit :
Thank you for the patch. I am more in favor of adding OCSP support into OpenVPN. It should be very easy using OpenSSL trunk. Also available at [1]. So if you can help perfecting this patch it would be a step in the right direction. [1] http://www.block64.net/
I think it is not as flexible as the Mathieu's patch. For example, a certificate or a CA can provide it's own "Authority Information Access" (via a x509 extension) with the URL of a prefered OCSP server... Manage this kind of configuration inside OpenVPN is not easy. The "--tls-export-cert" option (proposed by Mathieu) put the complexity in a script, where you are only limited by your imagination : OCSP is an example, but you can also think about OSCP with fallback, SCVP, revocation with delta CRLs, check against a NSS database, etc. Think about blacklists, too... We can not integrate all these cases directly in OpenVPN. An external system (as for all others scripts in OpenVPN) provides an very efficient solution. Just my 2 cents.. -- Thomas NOEL <thomas.n...@auf.org> http://www.auf.org/ Coordinateur des infrastructures techniques Administration des ressources informatiques Agence universitaire de la Francophonie (AUF)
