headers
Mathieu GIANNECCHINI | 12 Jan 2009 18:14
Picon
Favicon

[patch] enhance tls-verify possibility

Hello,

It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...

This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".

The patch was made from OpenVPN svn Beta21 branches.

Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :

#!/bin/sh

X509=$2

# Perform OCSP check on peer certificate
openssl ocsp \
      -issuer /etc/openvpn/ssl.crt/RootCA.pem \
      -CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
      -cert $peer_cert \
(Continue reading)

Permalink | Reply |
headers
Alon Bar-Lev | 12 Jan 2009 18:58
Picon
Gravatar

Re: [patch] enhance tls-verify possibility

Hello,

Thank you for the patch.
I am more in favor of adding OCSP support into OpenVPN.
It should be very easy using OpenSSL trunk.

Also available at [1].

So if you can help perfecting this patch it would be a step in the
right direction.

[1] http://www.block64.net/

On 1/12/09, Mathieu GIANNECCHINI <mat.giann <at> free.fr> wrote:
> Hello,
>
>  It should be nice to enhance tls-verify check possibilities against peer
>  cert during a pending TLS connection like :
>  - OCSP verification
>  - check any X509 extensions of the peer certificate
>  - delta CRL verification
>  - ...
>
>  This patch add a new "tls-export-cert" option which allow to get peer
>  certificate in PEM format and to store it in an openvpn temporary file.
>  Peer certificate is stored before tls-script execution and deleted after.
>  The name of the related temporary file is available under tls-verify
>  script by an environment variable "peer_cert".
>
>  The patch was made from OpenVPN svn Beta21 branches.
(Continue reading)

Permalink | Reply |
headers
Thomas NOEL | 12 Jan 2009 20:20
Favicon

Re: [patch] enhance tls-verify possibility

Hello,

Alon Bar-Lev a écrit :
> Thank you for the patch.
> I am more in favor of adding OCSP support into OpenVPN.
> It should be very easy using OpenSSL trunk.
> Also available at [1].
> So if you can help perfecting this patch it would be a step in the
> right direction.
> [1] http://www.block64.net/

I think it is not as flexible as the Mathieu's patch.

For example, a certificate or a CA can provide it's own "Authority
Information Access" (via a x509 extension) with the URL of a prefered
OCSP server... Manage this kind of configuration inside OpenVPN is not
easy.

The "--tls-export-cert" option (proposed by Mathieu) put the complexity
in a script, where you are only limited by your imagination : OCSP is an
example, but you can also think about OSCP with fallback, SCVP,
revocation with delta CRLs, check against a NSS database, etc. Think
about blacklists, too...

We can not integrate all these cases directly in OpenVPN. An external
system (as for all others scripts in OpenVPN) provides an very efficient
solution.

Just my 2 cents..
--

--
(Continue reading)

Permalink | Reply |
headers
Alon Bar-Lev | 13 Jan 2009 08:13
Picon
Gravatar

Re: [patch] enhance tls-verify possibility

On 1/12/09, Thomas NOEL <thomas.noel <at> auf.org> wrote:
> Hello,
>
>  Alon Bar-Lev a écrit :
>
> > Thank you for the patch.
>  > I am more in favor of adding OCSP support into OpenVPN.
>  > It should be very easy using OpenSSL trunk.
>  > Also available at [1].
>  > So if you can help perfecting this patch it would be a step in the
>  > right direction.
>  > [1] http://www.block64.net/
>
>
> I think it is not as flexible as the Mathieu's patch.
>
>  For example, a certificate or a CA can provide it's own "Authority
>  Information Access" (via a x509 extension) with the URL of a prefered
>  OCSP server... Manage this kind of configuration inside OpenVPN is not
>  easy.

This is why I wrote "perfecting this patch" :)

>  The "--tls-export-cert" option (proposed by Mathieu) put the complexity
>  in a script, where you are only limited by your imagination : OCSP is an
>  example, but you can also think about OSCP with fallback, SCVP,
>  revocation with delta CRLs, check against a NSS database, etc. Think
>  about blacklists, too...
>
>  We can not integrate all these cases directly in OpenVPN. An external
(Continue reading)

Permalink | Reply |
headers
Thomas NOEL | 13 Jan 2009 09:36
Favicon

Re: [patch] enhance tls-verify possibility

Alon Bar-Lev a écrit :
> I think all the above can be implemented as logic into OCSP responder...
> OpenVPN needs a standard way to forward the certificate.
> Standard == OCSP

It's not easy to configure an OCSP responder with a specific logic...

> If a simple script based OCSP is out there, then all you need is solved.

All I need is solved with the patch of Mathieu : in the tls-verify 
script, I can check a OCSP responder, if it does not respond try
another, if none respond check deltaCRL+CRL... I can even send a mail in
case of a detected intrusion ;)

That's why I prefer a "general script for tls verification" instead of
just an OCSP verification.

But in fact, both patches (OCSP-system and script-system) are
complementary. CRL (current system) and OCSP can resolve a lot of
situations, script-system can resolve all others... Such an
extended verification system would be a nice feature of openvpn
(I could say : another "killer-feature" ? ;) )

Cheers,
--

-- 
Thomas NOEL <thomas.noel <at> auf.org> http://www.auf.org/
Coordinateur des infrastructures techniques
Administration des ressources informatiques
Agence universitaire de la Francophonie (AUF)
(Continue reading)

Permalink | Reply |

Gmane