How to allow (some) expired client certificates?

[tschoening]

I would like to prepare for the case that client certificates get expired and wondered if there's any option/hook one can use to tell OpenVPN to accept client certificates even if they have been expired?

Looking at the reference manual, I only found things which could be checked alternatively or additionally and then mostly after OpenVPN itself validated certificates already. But I can't find anything to tell that OpenVPN should do its normal certificate validation but only in case a certificate has been expired simply still allow it or optionally ask me by using some script.

"–tls-verify cmd" runs only after all other tests have passed already, but in case of an expired certificate things fail. The same seems to be the case for "-management-client-auth". Something like "–verify-client-cert none|optional|require" sounds promising, but there simply doesn't seem to be the case I need. Using username+password wouldn't help my use case, because that would involve reconfiguring lots of clients, in which case I could simply change certificates as well. I need something which relies on certificates but gives me some additional influence.

So is that possible at all currently? From what I've read it sounds like the answer is no. Thanks!

[TinCanTech]

See --verify-client-cert in the man.

[tschoening]

As can be read in my text, I did and it doesn't seem to provide what I'm looking for. How exactly does this option accept an expired certificate?

[TinCanTech]

I have never tried it myself, no need to. However, if it does not work that way then so be it.

Did you try issuing a new certificate to the client ?

[tschoening]

Did you try issuing a new certificate to the client ?

No, but I know that this is possible and am thinking of ways to avoid that for various reasons.

[TinCanTech]

I think you will find you are out of luck, unless you want to take a shot at changing the source code.

[tschoening]

I suspected the same. But have a look at the following error messages:

[...]ovpn-server[24352]: Options error: --verify-client-cert none|optional must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin

Where does that "or plugin" belong to in your opinion? To me it reads like it's an additional 3rd option independent of all the others. But the only mention of "plugin" I found was in combination with "--auth-user-pass", like in the following docs:

https://openvpn.net/community-resources ... n-methods/

So it seems that without certificates, everything else is always bound to at least username+password? Do you know where I can find docs about what exactly is possible with plugins when? Things like API-docs etc.?

[TinCanTech]

The point you are missing is that, if you don't verify the client cert then openvpn expects you to verify by username/password. It's a minimum level of security and the manual makes it absolutely clear that your security is down to your user/pass verification.

I suggest you start with the Howto.
https://community.openvpn.net/openvpn/wiki/HOWTO

[tschoening]

You should be more careful about what you tell people they didn't understand properly. :-/ Let's have a look at the docs:

none : a client certificate is not required. the client need to authenticate using username/password only.

optional : a client may present a certificate but it is not required to do so. When using this directive, you should also use a –auth-user-pass-verify script to ensure that clients are authenticated using a certificate, a username and password, or possibly even both.

"need" vs. "should", that's why I tested that specific setup and wondered what exactly the printed error message means.

[TinCanTech]

You should be more careful about what you tell people they didn't understand properly

Options error: --verify-client-cert none|optional must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin

need" vs. "should", that's why I tested that specific setup and wondered what exactly the printed error message means.

The point you are missing is that, if you don't verify the client cert then openvpn expects you to verify by username/password. It's a minimum level of security and the manual makes it absolutely clear that your security is down to your user/pass verification.

I suggest you start with the Howto.
https://community.openvpn.net/openvpn/wiki/HOWTO

[tschoening]

Why do you think I was asking for how exactly "or plugin" is meant, where it belongs to in the sentence and where I can find docs for that? Your bold "must" in combination with "or plugin" in theory could perfectly well mean that no combination of username+password is necessary IF one uses a plugin INSTEAD. The error message I quoted is simply NOT clear regarding that point and the docs I quoted are NOT clear regarding that point as well.

It would be of much more help if you would have been able to provide the docs I was requesting and unable to find myself instead of guessing what I might have understood or not.

[TinCanTech]

Why do you think I was asking for how exactly "or plugin" is meant

One or the other ..

where it belongs to in the sentence and where I can find docs for that?

I suggest you start with the Howto.
https://community.openvpn.net/openvpn/wiki/HOWTO

Your bold "must" in combination with "or plugin" in theory could perfectly well mean that no combination of username+password is necessary IF one uses a plugin INSTEAD. The error message I quoted is simply NOT clear regarding that point and the docs I quoted are NOT clear regarding that point as well.

It would be of much more help if you would have been able to provide the docs I was requesting and unable to find myself instead of guessing what I might have understood or not.

Improvements to the documentation are always welcome.

[tschoening]

where it belongs to in the sentence and where I can find docs for that?

I suggest you start with the Howto.
https://community.openvpn.net/openvpn/wiki/HOWTO

Did you actually look at that HowTo? It contains the following sentence:

If you would like more information on developing your own plugins for use with OpenVPN, see the README files in the plugin subdirectory of the OpenVPN source distribution.

The only plugin-related subdirectory I was able to find is "plugins" instead of "plugin" and that doesn't seem to contain any generic README explaining plugins in general, but only the specific ones already available:

https://github.com/OpenVPN/openvpn/tree ... rc/plugins

And that's why I asked for additional details, as it's obvious that the existing username+password-plugin is not of much help answering my questions. I need to influence certificate validation itself, if at all.

So, do you know about general docs about plugins, available interfaces/hooks etc. to them or not?