Is there any way to get the whole X509 certificate in the tls-verify step? There was once a patch for it (option tls-export-cert), but it seems it did not make it into OpenVPN. Does some other solution exist?
Our usecase: we allow certificates signed from different CAs to login. The verify-cn part can be done easily based on the DN of the certificate. The problem is, they include the CRL and / or OCSP information embedded. We would like to dynamically check the revocation status. The capath option seems of no use, because not all of the auth certifcates include the same CRL (segmented CRLs). There is no one-to-one mapping between CA and CRL.
Thanks for any responses!
getting x509 cert in tls-verify (tls-export-cert)
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
beat weisskopf
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Mar 16, 2015 12:35 pm
-
Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: getting x509 cert in tls-verify (tls-export-cert)
beat weisskopf wrote:Is there any way to get the whole X509 certificate in the tls-verify step? There was once a patch for it (option tls-export-cert), but it seems it did not make it into OpenVPN.
The Manual wrote:--tls-verify cmd--tls-export-cert directory
- Run command cmd to verify the X509 name of a pending TLS connection
- Store the certificates the clients uses upon connection to this directory
See TLS Mode Options in The Manual v23x-
beat weisskopf
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Mar 16, 2015 12:35 pm
Re: getting x509 cert in tls-verify (tls-export-cert)
Uh, did no find this via google - should have scanned the man page better.
Thanks a lot,
beat
Thanks a lot,
beat