Alon Bar-Lev a écrit :
I think all the above can be implemented as logic into OCSP responder... OpenVPN needs a standard way to forward the certificate. Standard == OCSP
It's not easy to configure an OCSP responder with a specific logic...
If a simple script based OCSP is out there, then all you need is solved.
All I need is solved with the patch of Mathieu : in the tls-verify script, I can check a OCSP responder, if it does not respond try
another, if none respond check deltaCRL+CRL... I can even send a mail in case of a detected intrusion ;) That's why I prefer a "general script for tls verification" instead of just an OCSP verification. But in fact, both patches (OCSP-system and script-system) are complementary. CRL (current system) and OCSP can resolve a lot of situations, script-system can resolve all others... Such an extended verification system would be a nice feature of openvpn (I could say : another "killer-feature" ? ;) ) Cheers, -- Thomas NOEL <thomas.n...@auf.org> http://www.auf.org/ Coordinateur des infrastructures techniques Administration des ressources informatiques Agence universitaire de la Francophonie (AUF)
