On 24/08/15 18:54, Boris Lytochkin wrote: > Hi. > > Author: Boris Lytochkin <lytbo...@yandex-team.ru> > Sponsored-by: Yandex LLC > > Log serial number of revoked certificate > > In most of situations admin of OpenVPN server needs to know which > particular certificate is used by client. > In the case when certificate is OK, environment variable can be used for > that but once it is revoked no user scripts are invoked so there is no > way to get serial number: only subject is printed in logs. Patch > attached addresses this issue logging certificate directly on the line > with certificate subject. > > Tested with OpenSSL but PolarSSL should be good too. > > Signed-off-by Boris Lytochkin <lytbo...@yandex-team.ru>
Feature-wise, this makes a lot of sense. And as Gert has said, the serial numbers are unique to the CA being used, which fits OpenVPN use cases well. The vast majority of OpenVPN installations with PKI uses an internal CA which the admins have full control over. I have only done a code review and a quick compile with 'make check'. From that perspective, I can give it an ACK on the code side. It looks correct as far as I can understand. It would be good if Steffan could give especially the PolarSSL side an extra check, but even that looks good to me. I have *not* tested this against a CRL file yet. I hope I don't jinx it when I say I think the behaviour in that case will be very predictable. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
