Hi David, On 03-11-16 22:03, David Sommerseth wrote: > During the review of the CRL improvement patch, I briefly mentioned > that clients do not disconnect gracefully if the TLS layer does not > accept the client certificate (like when it is on a CRL). > > I have spent some time looking through the code to see what is needed. > And what is a fairly simple thing seems to get fairly complicated. > So I'm just starting this discussion to see if we can find some good > approaches. > > The main challenge is that we should use the send_auth_failed() > function, which takes a struct context object as well as a reason. > > [..snip..] > > The question is ... does anyone else see a different or better > approach? Thoughts, comments?
Well, you can't send AUTH_FAILED over the control channel, because there is no control channel, because one of the certs was revoked and the TLS handshake failed. You do have a valid point that it would be nice to handle revocations more gracefully though. TLS sends a "certificate_revoked" alert if this is the case (see https://tools.ietf.org/html/rfc5246#page-31). It might however be that we close the connection before the TLS lib can send this alert. I'd need to investigate that. -Steffan ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
