[Openvpn-devel] a replacement for --tls-remote and verify-cn
Hi, I ran into problems in using --tls-verify to verify the remote host with --chroot enabled. --tls-verify runs the verify script with system() command, so it assumes that /bin/sh is available. Usually, in a chroot environment, that's not true. I implemented a new config option: --tls-remote x509name With --tls-remote the remote host is verified by looking at the X509 name. If the remote X509 name doesn't match the given x509name, the remote host is rejected. With --tls-remote, it's possible to verify remote host even with a completely empty chroot directory. --tls-remote also removes the need for an external --tls-verify script in most cases. Config example: tls-remote /O=exampleorg/CN=name I have tested the patch with a TLS tunnel on Debian Woody. A patch against OpenVPN 1.5 beta12 is available at: http://iki.fi/teemuki/openvpn/1.5_beta12-tlsremote.diff Feel free to use it. :) Teemu signature.asc Description: PGP signature
[Openvpn-devel] Splitting functionality of VPN daemons
Hello, Today there are lots of VPN implementations, each having their strengths and weaknesses. In particular, OpenVPN has focussed on creating tunnels using standards such as SSL/TLS and ESP and provides better security than many other VPN implementations. Tinc on the other hand is probably the only VPN daemon that handles multiple tunnels on one tun/tap device, using built-in routing. In order to allow both projects (and maybe others) to combine their efforts in a manageable way, their should be a standardised API, so that code can be reused without having to change it. You can find a concept here: http://sliepen.eu.org/~guus/vpnsplit.html This is by no means finished, your input is greatly appreciated. -- Met vriendelijke groet / with kind regards, Guus Sliepen signature.asc Description: Digital signature
Re: [Openvpn-devel] a replacement for --tls-remote and verify-cn
Teemu Kiviniemi said: > Hi, > > I ran into problems in using --tls-verify to verify the remote host with > --chroot enabled. --tls-verify runs the verify script with system() > command, so it assumes that /bin/sh is available. Usually, in a chroot > environment, that's not true. > > I implemented a new config option: --tls-remote x509name > > With --tls-remote the remote host is verified by looking at the X509 > name. If the remote X509 name doesn't match the given x509name, the > remote host is rejected. > > With --tls-remote, it's possible to verify remote host even with a > completely empty chroot directory. --tls-remote also removes the need > for an external --tls-verify script in most cases. > > Config example: > tls-remote /O=exampleorg/CN=name > > I have tested the patch with a TLS tunnel on Debian Woody. > > A patch against OpenVPN 1.5 beta12 is available at: > http://iki.fi/teemuki/openvpn/1.5_beta12-tlsremote.diff Thanks, that looks like a useful patch. One thing that would help me to merge it more easily, is if you could recode against the current CVS which has advanced since beta12 and includes the --crl-verify patch which touches the same parts of ssl.c as your patch. The 1.5 beta series exists in the CVS under branch "EXP15". James
Re: [Openvpn-devel] a replacement for --tls-remote and verify-cn
Mon, 27-10-2003 at 22:49, James Yonan wrote: > One thing that would help me to merge it more easily, is if you could recode > against the current CVS which has advanced since beta12 and includes the Hi, I rewrote the patch against the EXP15 branch in CVS. I tested it briefly and it worked just fine. The patch is available at: http://iki.fi/teemuki/openvpn/cvs-tlsremote.diff Teemu signature.asc Description: PGP signature
