On 06/10/17 08:58, Илья Шипицин wrote: > Hello, > > I used to run openvpn in login/password mode for years. > now, I'm getting working certificate setup. > > > what I found strange about revoked certificates ... from client point of > view it looks like any other "tls key negotiation timeout" > > is there a way to signal user "hey, you key is revoked" ?
Nope, not in the current implementation and design. To be able to signal that, you need to have some established a connection. And that cannot be done unless the client provides a valid certificate. If the certificate is invalid (issued by wrong CA, expired, revoked), the server just drops the ball. Perhaps we could look into adding a new OPCODE which could signal connection errors. But that needs to be very carefully implemented so we don't open up for various DoS attacks or more effective bruteforce attacks. Such a message would also need to be verifiable too, otherwise it would be too easy for a filtering firewall or gateway to just respond back with such a rejection message instead of passing the packet further; effectively shutting down clients with the wrong presumptions. Plus it needs to be implemented in the OpenVPN 3 Core library as well (which OpenVPN Connect clients uses). So this isn't even a quick-fix. But I would also be very cautious about providing reasons back to clients though. For all these various invalid certificate scenarios we definitely should not give a too fine grained explanation. IMO, only a "Invalid certificate" message should be considered. -- kind regards, David Sommerseth OpenVPN, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
