Victor Wagner a écrit :
On 2009.11.11 at 09:40:59 +0100, David Sommerseth wrote:
On 10/11/09 17:16, Till Maas wrote:
I would like to get a notification in case a client certificate is used
for a connection to an OpenVPN server, that is about to expire soon. Is
there currently a way to do this? I looked into the tls-verify hook, but
according to the documentation, only the Subject line of a certificate
is available and not the validity. Is there maybe a way to log the
expiration dates?
I don't think this is possible without patching openvpn to put these
values into some environment variables for the --tls-verify hook. I've
done something similar in regards to the SHA1 fingerprint for my own
project (I have had an OpenVPN patch pending since RC7). But I'd be
willing to carry such a feature in my eurephia patch for OpenVPN, as
that sounds very useful.
Apache/mod_ssl does export entire certificate in the PEM format as
environment variable. So, may be openvpn sould do the same?
Now various people patching openvpn to add some values:
you've added sha1 fingerprint, I've added certificate extension
subjectAltName, et cetera, et cetera.
But if entire certificate would be available, it would be possible to
extract any information from it (or hash it with any algorithm) from the
script using openssl command line utility or some binding or OpenSSL
libraries to the choosen script language.
Ok, i try once again. Maybe the solution is here :
http://article.gmane.org/gmane.network.openvpn.devel/2492
