Hi Gert, Steffan and David ! There is Sample HTTP (SSO) OpenVPN Plugin with http.client.py and http-server.py scripts based on OpenVPN's RFC-5705 support.
OpenVPN plugin examples. Daniel Kubec <n...@rtfm.cz>
Examples provided:
sso.c -- HTTP (SSO) Example based on TLS Keying Material Exporters [RFC-5705]
(openvpn/doc/keying-material-exporter.txt)
Requires:
OpenVPN RFC-5705 Support, OpenSSL >= 1.0.1
Files:
http-server.py -- Example HTTP Server listen 0.0.0.0:8080
http-client.py -- Example HTTP Client connect 10.8.0.1:8080 [GET /$SESSIONID]
server.ovpn -- Example HTTP SSO VPN Server configuration
client.ovpn -- Example HTTP SSO VPN Client configuration
sso.c, sso.so -- Example OpenVPN Client and Server plugin
To build:
./build sso
To use in OpenVPN:
Enter openvpn/sample/sample-plugins/sso directory
$ openvpn --config ./server.ovpn
$ openvpn --config ./client.ovpn
$ ./http-server.py
$ ./http-client.py
Test:
openvpn --config ./server.ovpn
##############################
PLUGIN SSO: app session created
PLUGIN_CALL: POST ./sso.so/PLUGIN_TLS_VERIFY status=0
PLUGIN SSO: app session key: a5885abc84d361803f58ede1ef9c0adf99e720cd
PLUGIN SSO: app session file:
/tmp/openvpn_sso_a5885abc84d361803f58ede1ef9c0adf99e720cd
PLUGIN SSO: app session user: Test-Client
openvpn --config ./client.ovpn
##############################
PLUGIN SSO: app session created
PLUGIN_CALL: POST ./sso.so/PLUGIN_TLS_VERIFY status=0
PLUGIN SSO: app session key: a5885abc84d361803f58ede1ef9c0adf99e720cd
PLUGIN SSO: app session file: /tmp/openvpn_sso_user
PLUGIN_CALL: POST ./sso.so/PLUGIN_TLS_FINAL status=0
HTTP_SERVER:
http-server.py
################
http server started
session file: /tmp/openvpn_sso_a5885abc84d361803f58ede1ef9c0adf99e720cd
10.8.0.1 - - [02/Apr/2015 15:03:33] "GET
/a5885abc84d361803f58ede1ef9c0adf99e720cd HTTP/1.1" 200 -
session user: Test-Client
session key: a5885abc84d361803f58ede1ef9c0adf99e720cd
HTTP_SERVER:
http-client.py
<html><body><h1>Greetings Test-Client. You are authorized</h1></body></html>
On 10 March 2015 at 09:08, Gert Doering <g...@greenie.muc.de> wrote:
> Hi,
>
> On Mon, Mar 09, 2015 at 08:46:10PM +0100, daniel kubec wrote:
>> It is nothing more then generating same keying material for client and
>> server plugins (OPENVPN_PLUGIN_TLS_FINAL callback)
>> without the need of transfer that key throught (D)TLS channel and/or app
>> layer.
>
> Why is it so hard to describe a good use case along the lines of what
> I described here?
>
>> On 9 March 2015 at 20:02, Gert Doering <g...@greenie.muc.de> wrote:
> [..]
>> > No code needed. Just describe the parts that would be needed to make
>> > this work - like "on the server, you need a plugin that talks to
>> > foobar service to get a blinkenlight, on the client, you need a plugin
>> > that uses EKM to make the light blink, via..."
> [..]
>
>
> You have written a lot of crypto speak, and added a bit of handwaving why
> this is totally useful - but no specific example, how the bits and pieces
> have to be combined to make it work.
>
> Of course, single-sign-on would be extremely great - but I lack the crypto
> background (or the imagination) to see how this could be implemented using
> EKM - so, please explain it to us.
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany g...@greenie.muc.de
> fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
openvpn-rfc5705-sample.patch
Description: Binary data
