On Wed, Nov 11, 2009 at 01:26:04PM +0100, David Sommerseth wrote:

> 1) The certificate is first dumped to file.  Would it be possible to
> pass it only via environment table, to avoid the file stage?  The reason
> for this is primarily security (not to write more to disk than what you
> really need on disk), and secondarily - SELinux - avoiding writing data
> to disk you are more sure that SELinux or other MACs will not interfere
> and deny the write requests.  This is especially crucial if OpenVPN is
> run in as a contained user (which most daemons really do)

As far as I understand the tls-verify option, the script will be run
once for every certificate in the chain. Therefore just passing the
cert to stdin of the script should be a feasible solution.

> 2) If an attacker sends a certificate with his certificate and 999 CA
> certificates in a chain, what will happen?  What happens if the disk
> goes full or the certificate cannot be written?

According to the manpage, the tls-verify script won't be executed,
because the attacker already need to have passed all other verifications
steps except the check against the CRL list.

Regards
Till

Attachment: pgpJibvg1L_BB.pgp
Description: PGP signature

Reply via email to