Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint

Tue, 18 May 2021 06:18:53 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, 18 May 2021 13:21, Arne Schwabe <a...@rfc2549.org> wrote:

> Am 17.05.21 um 19:16 schrieb tincantech:
>
> > Hi,
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Wednesday, 12 May 2021 14:15, Arne Schwabe a...@rfc2549.org wrote:
> >
> > > This is meant to give new users a quickstart for a useable OpenVPN
> > > setup. Our own documentation is lacking in this regard and many often
> > > tutorials that can be found online are often questionable in some
> > > aspects.
> >
> > I believe Openvpn in standard mode (Full PKI) would reject an expired
> > client certificate.
> > Note: There is absolutely nothing in the manual to confirm this !
> > https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html
> > On that page there are eight uses of the word 'expire' and they all
> > relate to an expired auth-token, this could also probably be improved.
> > However, Openvpn in peer-fingerprint mode allows an expired client
> > certificate to connect.
> > The client log does have a 'WARNING: Your certificate has expired!'
> > The server log has nothing about an expired client certificate.
> > And, as we all know, who reads their log files anyway ?
> > The issue here is that the server allows an expired client certificate
> > to connect and there is no mention of this change in behaviour.
>
> Yes. We just trust the fingerprint of the certificate. The behaviour to
> ignore expiry is a side effect of that. It is kinda designed to be this way.
>
> Arne

The change itself is ok, I just thought it worth mentioning is this guide.

Thanks
R

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgo76EACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1pAAf+M7BWGoMLjSdhrcfokV0mu9M8eND0XF7AvEI3d+DQEGqJ2S9I
l6aVCCXsIKi1m/fJbYSYROhD7zvKj3i1KQebXxUTTonmlhEIMLhXnzHmdAPH
Owh3Ixpf284NMTcjZgcQAhGcLdlMeVpykJrIIx4lpR75u0+FV6STUmtIgG2Q
gWOi4OduA5gNJanu4BlF/7JCHNXSQvHQ5yrSGBrRdT2kIIGnrHSYfmUz1Jq4
v0AHQP8aTFD6sUaYw2j0nRGKj43rAmV+yyx2oLU1/6jbiBl5wq25fgNi3cCa
22HuxRP1SsbSf5PoWbUyZmXagpnHKRmgj42DkMn3pMTLjGnDD6NmVA==
=Fotu
-----END PGP SIGNATURE-----

Attachment: publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys

Attachment: publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel























					Reply via email to