-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/11/09 12:06, Mathieu GIANNECCHINI wrote:
> Victor Wagner a écrit :
>> On 2009.11.11 at 09:40:59 +0100, David Sommerseth wrote:
>>
>>   
>>> On 10/11/09 17:16, Till Maas wrote:
>>>     
>>>> I would like to get a notification in case a client certificate is used
>>>> for a connection to an OpenVPN server, that is about to expire soon. Is
>>>> there currently a way to do this? I looked into the tls-verify hook, but
>>>> according to the documentation, only the Subject line of a certificate
>>>> is available and not the validity. Is there maybe a way to log the
>>>> expiration dates?
>>>>       
>>> I don't think this is possible without patching openvpn to put these
>>> values into some environment variables for the --tls-verify hook.  I've
>>> done something similar in regards to the SHA1 fingerprint for my own
>>> project (I have had an OpenVPN patch pending since RC7).  But I'd be
>>> willing to carry such a feature in my eurephia patch for OpenVPN, as
>>> that sounds very useful.
>>>     
>>
>> Apache/mod_ssl does export entire certificate in the PEM format as
>> environment variable. So, may be openvpn sould do the same?
>>
>> Now various people patching openvpn to add some values:
>> you've added sha1 fingerprint, I've added certificate extension
>> subjectAltName, et cetera, et cetera.
>>
>> But if entire certificate would be available, it would be possible to
>> extract any information from it (or hash it with any algorithm) from the
>> script using openssl command line utility or some binding or OpenSSL
>> libraries to the choosen script language.
>>   
> 
> Ok, i try once again. Maybe the solution is here :
> http://article.gmane.org/gmane.network.openvpn.devel/2492

Indeed!  And you're about to get my vote for this implementation ... but
I have two concerns.

1) The certificate is first dumped to file.  Would it be possible to
pass it only via environment table, to avoid the file stage?  The reason
for this is primarily security (not to write more to disk than what you
really need on disk), and secondarily - SELinux - avoiding writing data
to disk you are more sure that SELinux or other MACs will not interfere
and deny the write requests.  This is especially crucial if OpenVPN is
run in as a contained user (which most daemons really do)

2) If an attacker sends a certificate with his certificate and 999 CA
certificates in a chain, what will happen?  What happens if the disk
goes full or the certificate cannot be written?


kind regards,

David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkr6rVkACgkQDC186MBRfrrxSgCeMq5lVAvIAvPNVN6mfOgO7Avj
q0UAnjFM/FS6cgIt4igadYaHDThXli1c
=UKWi
-----END PGP SIGNATURE-----

Reply via email to