On Wed, Nov 11, 2009 at 01:26:04PM +0100, David Sommerseth wrote: > 1) The certificate is first dumped to file. Would it be possible to > pass it only via environment table, to avoid the file stage? The reason > for this is primarily security (not to write more to disk than what you > really need on disk), and secondarily - SELinux - avoiding writing data > to disk you are more sure that SELinux or other MACs will not interfere > and deny the write requests. This is especially crucial if OpenVPN is > run in as a contained user (which most daemons really do)
As far as I understand the tls-verify option, the script will be run once for every certificate in the chain. Therefore just passing the cert to stdin of the script should be a feasible solution. > 2) If an attacker sends a certificate with his certificate and 999 CA > certificates in a chain, what will happen? What happens if the disk > goes full or the certificate cannot be written? According to the manpage, the tls-verify script won't be executed, because the attacker already need to have passed all other verifications steps except the check against the CRL list. Regards Till
pgpJibvg1L_BB.pgp
Description: PGP signature