Hello,
Below you will find a patch that creates a new configuration option
--cryptoapicastore (the naming sucks, I know...) which enables certificate
verification using Windows Certificate Stores (CA and ROOT).
It can be used in addition to --cafile and --capath or standalone.
I have compile and b
Ok, here's another try, even though I didn't get any comments on the
first one :-)
This is a totally different approach; the previous one was flawed in at
least two aspects:
- A certificate signed by an CA stored in the "Intermediate CA store"
but not trusted would be considered acceptable by Open
Hi,
Thank you for your comments.
Alon Bar-Lev wrote:
> On 1/3/07, Faidon Liambotis wrote:
>> Ok, here's another try, even though I didn't get any comments on the
>> first one :-)
>>
>> This is a totally different approach; the previous one was flawed in
Alon Bar-Lev wrote:
> If you integrate into Microsoft trust providers, you should also
> support CTL and such. So that the Domain/Computer policy will be
> applied to OpenVPN.
After a bit of googling, I can know *guess* what you mean.
I'm no Microsoft expert or developer -and I don't want to be, to
Hello again,
While fiddling with the OpenVPN code for the patch -look at my other
mail- I noticed the following:
When a server specifies client-cert-not-required and the client passes a
certificate, the server does not check this certificate for validity,
i.e. no trust verification (signed by the C
Hello,
Below you will find a revised version of a patch that I sent almost 9
months before.
It allows OpenVPN to verify certificates agains the Windows Certificate Store.
Changed since v2:
* Replace the global variable by a TLS options variable
* Added relevant man page entry
* Minor bugfixes
Alon Bar-Lev wrote:
> Why not use SSL_CTX_add_client_CA and add all CAPI root store into
> OpenSSL context?
My initial approach (v1) was that (albeit not with
SSL_CTX_add_client_CA but with X509_STORE_add_cert).
This was flawed, for the reasons I mentioned in v2 changelog (which btw,
you have seen
Alon Bar-Lev wrote:
> So you need to use CertVerifyCertificateChainPolicy() with
> CERT_CHAIN_POLICY_SSL
I'm no Microsoft developer (adn I don't want to be to be honest) but if
I understand it right, it's better to call CertGetCertificateChain() as
I am doing.
MSDN for CertVerifyCertificateChainP
Alon Bar-Lev wrote:
> On 9/22/07, Faidon Liambotis wrote:
>> Alon Bar-Lev wrote:
>>> So you need to use CertVerifyCertificateChainPolicy() with
>>> CERT_CHAIN_POLICY_SSL
>> I'm no Microsoft developer (adn I don't want to be to be honest) but if
&g
Faidon Liambotis wrote:
> Alon Bar-Lev wrote:
>> You need to use both, one for create the chain and the other to verify
>> that it meets with system CTL for SSL.
> Seems that you are right. Below you will find -v4 of the patch that does
> that.
>
> Also, my previous ve
ADIUS authentication that are more
featureful. Haven't evaluated them though, the above works pretty well
for me.
Regards,
Faidon
#!/usr/bin/perl
# OpenVPN auth-user-pass-verify script for RADIUS Authentication
#
# Copyright (c) 2005 Greek Research and Technology Network S.A.
#
# Author: Faidon
Hi,
In light of the Debian OpenSSL vulnerability, I was looking for a way to
efficiently check for revoked certificates.
Updating CRLs is one way but it's not exactly efficient.
I've found that someone has actually implemented OCSP for OpenVPN[1].
Is there any specific reason that this hasn't b
Hi,
Alon Bar-Lev wrote:
> On 9/27/08, Alon Bar-Lev wrote:
>> I prefer to receive patches...
>> Anyway, this is not exactly what I meant.
>> Please review latest head.
>> I did not test this, but it should be correct now as far as the
>> changes are concerned.
>> It may not work as the valid
13 matches
Mail list logo
