OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

getting x509 cert in tls-verify (tls-export-cert)

https://forums.openvpn.net/viewtopic.php?t=18428

Page 1 of 1

getting x509 cert in tls-verify (tls-export-cert)

Posted: Mon Mar 16, 2015 12:48 pm
by beat weisskopf
Is there any way to get the whole X509 certificate in the tls-verify step? There was once a patch for it (option tls-export-cert), but it seems it did not make it into OpenVPN. Does some other solution exist?

Our usecase: we allow certificates signed from different CAs to login. The verify-cn part can be done easily based on the DN of the certificate. The problem is, they include the CRL and / or OCSP information embedded. We would like to dynamically check the revocation status. The capath option seems of no use, because not all of the auth certifcates include the same CRL (segmented CRLs). There is no one-to-one mapping between CA and CRL.

Thanks for any responses!

Re: getting x509 cert in tls-verify (tls-export-cert)

Posted: Mon Mar 16, 2015 3:22 pm
by Traffic
beat weisskopf wrote:Is there any way to get the whole X509 certificate in the tls-verify step? There was once a patch for it (option tls-export-cert), but it seems it did not make it into OpenVPN.
:?
The Manual wrote:--tls-verify cmd
  • Run command cmd to verify the X509 name of a pending TLS connection
--tls-export-cert directory
  • Store the certificates the clients uses upon connection to this directory
:arrow: See TLS Mode Options in The Manual v23x

Re: getting x509 cert in tls-verify (tls-export-cert)

Posted: Tue Mar 17, 2015 8:16 am
by beat weisskopf
Uh, did no find this via google - should have scanned the man page better.

Thanks a lot,

beat
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/