On 04/17/2018 06:50 PM, Jason A. Donenfeld wrote: > * Allow specifying 'none' to the --ca parameter, to specify that > certificates should not be checked against a CA. Note that 'none' > is already used in other similar options as a special placeholder. > > * When '--ca none' is in use, --verify-hash checks all depths instead > of just level 1. > > With these very simple changes, fingerprint authentication is easily achieved > via the --tls-verify script on the server and via --verify-hash on the client.
This is a great idea! I already played around with it, and it works as advertised :) I recently thought about how to integrate this properly. The thing that is still missing is using fingerprints as CNs. The --status command, and management interface (--management) use CNs to identify clients when certificates are used. This would then also need to be modified to use 'fingerprints' as identifiers so you would see the fingerprints when you use --status and can use fingerprints when you do "kill" through the management interface. An option similar to --username-as-common-name, e.g. --fingerprint-as-common-name could be introduced to accomplish this in an easy way, although it is a bit "hacky". Cheers, François ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
