|
|
On Fri, Jan 14, 2005 at 10:35:47PM -0600, Charles Duffy wrote: > On Fri, 2005-01-14 at 23:04 -0500, Ed Ravin wrote: > > > I'd use a tls-verify script to blacklist clients which have valid > > > certificates but which aren't presently supposed to be able to connect. > > > > How about adding the vendor's cert to the revocation list, then removing > > it when they call in to request access? > > In theory, if not practice, certificate revocation lists are > append-only. "Removing it" is not a supported operation. I admit that I haven't worked with CRLs before, but isn't the CRL in the same format say, as a root cert file for a web server, containing multiple certificates and optional comments between them? Why couldn't you edit that? Will the X.509 police bust your door down or something? Since he's only making this change at the server, can't he just add the "--crl-verify FILE" option and remove it when needed, or replace FILE with a different file and restart openvpn? That seems easier to me than writing a special-purpose script. ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |