[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: Temporarily disabling client certificates


  • Subject: Re: [Openvpn-users] Re: Temporarily disabling client certificates
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Sat, 15 Jan 2005 15:28:08 -0700 (MST)

On Sat, 15 Jan 2005, Mathias Sundman wrote:

> On Sat, 15 Jan 2005, James Yonan wrote:
> 
> > On Fri, 14 Jan 2005, Charles Duffy wrote:
> >
> >> On Fri, 2005-01-14 at 23:04 -0500, Ed Ravin wrote:
> >>>> I'd use a tls-verify script to blacklist clients which have valid
> >>>> certificates but which aren't presently supposed to be able to connect.
> >>>
> >>> How about adding the vendor's cert to the revocation list, then removing
> >>> it when they call in to request access?
> >>
> >> In theory, if not practice, certificate revocation lists are
> >> append-only. "Removing it" is not a supported operation.
> >
> > Another possible way to do this:
> >
> > Use --client-config-dir and --ccd-exclusive on the server.  Now the server
> > will only accept connections if the common name of the connection matches
> > a (possibly empty) file in the --client-config-dir directory.  So you can
> > turn access on or off by simply creating and deleting this common name
> > file.  The one caveat here is that once you use --ccd-exclusive, it
> > applies to all clients which will be connecting.  If you only want to turn
> > on/off access to a single common name but allow all others, I think a
> > --tls-verify script is the way to go.
> 
> A pretty simple new feature that would solve this quite nicely would be if 
> there was a directive one could put in a CCD file that would deny that 
> user access.
> 
> That way you could have a normal setup running, and when you temporarly 
> want to block a user, you just create ccd file and add this directive for 
> that user.

That's a good idea, and it's quite trivial to code.

James


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users