|
|
On Fri, 14 Jan 2005, Charles Duffy wrote: > On Fri, 2005-01-14 at 23:04 -0500, Ed Ravin wrote: > > > I'd use a tls-verify script to blacklist clients which have valid > > > certificates but which aren't presently supposed to be able to connect. > > > > How about adding the vendor's cert to the revocation list, then removing > > it when they call in to request access? > > In theory, if not practice, certificate revocation lists are > append-only. "Removing it" is not a supported operation. Another possible way to do this: Use --client-config-dir and --ccd-exclusive on the server. Now the server will only accept connections if the common name of the connection matches a (possibly empty) file in the --client-config-dir directory. So you can turn access on or off by simply creating and deleting this common name file. The one caveat here is that once you use --ccd-exclusive, it applies to all clients which will be connecting. If you only want to turn on/off access to a single common name but allow all others, I think a --tls-verify script is the way to go. James ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |