-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/11/09 12:51, Till Maas wrote: > On Wed, Nov 11, 2009 at 01:26:04PM +0100, David Sommerseth wrote: > >> 1) The certificate is first dumped to file. Would it be possible to >> pass it only via environment table, to avoid the file stage? The reason >> for this is primarily security (not to write more to disk than what you >> really need on disk), and secondarily - SELinux - avoiding writing data >> to disk you are more sure that SELinux or other MACs will not interfere >> and deny the write requests. This is especially crucial if OpenVPN is >> run in as a contained user (which most daemons really do) > > As far as I understand the tls-verify option, the script will be run > once for every certificate in the chain. Therefore just passing the > cert to stdin of the script should be a feasible solution.
But this will not work for --plugin. A plug-in written in C will not have access to stdin/stdout for such exchanges. That's my concern. >> 2) If an attacker sends a certificate with his certificate and 999 CA >> certificates in a chain, what will happen? What happens if the disk >> goes full or the certificate cannot be written? > > According to the manpage, the tls-verify script won't be executed, > because the attacker already need to have passed all other verifications > steps except the check against the CRL list. True! I didn't think about that when I thought about this scenario, but this really covers it. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7/tMACgkQDC186MBRfrrUJwCgrSVYrvlu3v9ZQlQOcg/oAwwk OxsAnjN+a0OeSIH0Um/3ICbQBRGNLOEh =ZEbM -----END PGP SIGNATURE-----
