I use the 'tls-verify' command to allow only a particular set of certificate CN's:
tls-verify /etc/openvpn/verify-cn
It's ok, but i think it would be nice if we can verify the serial number of a client-certificate, to be more sure that it's the correct certificate. It could be exposed in an environment variable, perhaps? (tls_serial_{n}). I need a example about this.
Please help me? Thanks.
How to verify serial number of certificate?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
thanhtung
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Apr 20, 2012 11:46 am
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: How to verify serial number of certificate?
how would you want to check the serial number?
if the certificate is accepted by OpenVPN then it was signed by a CA cert that OpenVPN trusts - that should be enough.
If you want match against a list of allowed serial numbers then make a list of serial numbers and match ${tls_serial_{n}} against it.
if the certificate is accepted by OpenVPN then it was signed by a CA cert that OpenVPN trusts - that should be enough.
If you want match against a list of allowed serial numbers then make a list of serial numbers and match ${tls_serial_{n}} against it.
-
thanhtung
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Apr 20, 2012 11:46 am
Re: How to verify serial number of certificate?
Thanks for quick reply 
But i need a example about this. As you asked me, i can use ${tls_serial_{n}}, but i will put it into file config server or into script tls-verify? Please give me an example?
But i need a example about this. As you asked me, i can use ${tls_serial_{n}}, but i will put it into file config server or into script tls-verify? Please give me an example?
-
thanhtung
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Apr 20, 2012 11:46 am
Re: How to verify serial number of certificate?
I have get environment variable tls_serial_{0} by type "echo %tls_serial_{0}%" on cmd of Windows, and result is serial number of client's certificate.janjust wrote:how would you want to check the serial number?
if the certificate is accepted by OpenVPN then it was signed by a CA cert that OpenVPN trusts - that should be enough.
If you want match against a list of allowed serial numbers then make a list of serial numbers and match ${tls_serial_{n}} against it.
I have write a program tls-verify with C and put it into server config :" tls-verify "'C:\\OpenVPNSerialCheck.exe' 123123123", with 123123123 is serial number of client's certificate, and it failed. When i see server.log, message failed is "[ERROR]: Could not find environment variable tls_serial_{0}!"
Please help me, it's best if you can give me a example about it. Thanks.
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: How to verify serial number of certificate?
I don't have an example for Windows ; the env var you're searching for, however, is
etc. modify your code to look for that variable. Also, run a batch/cmd file and dump the environment as a dummy 'tls-verify' script - you should see the name of the env vars pretty easily.
Code: Select all
tls_serial_0
tls_serial_1
tls_serial_2-
thanhtung
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Apr 20, 2012 11:46 am
Re: How to verify serial number of certificate?
Thank you very much, the env var must be tls_serial_0 as you asked me, this problem resolved.janjust wrote:I don't have an example for Windows ; the env var you're searching for, however, isetc. modify your code to look for that variable. Also, run a batch/cmd file and dump the environment as a dummy 'tls-verify' script - you should see the name of the env vars pretty easily.Code: Select all
tls_serial_0 tls_serial_1 tls_serial_2