|
|
On Sat, 15 Jan 2005, Mathias Sundman wrote: > On Sat, 15 Jan 2005, James Yonan wrote: > > > On Fri, 14 Jan 2005, Charles Duffy wrote: > > > >> On Fri, 2005-01-14 at 23:04 -0500, Ed Ravin wrote: > >>>> I'd use a tls-verify script to blacklist clients which have valid > >>>> certificates but which aren't presently supposed to be able to connect. > >>> > >>> How about adding the vendor's cert to the revocation list, then removing > >>> it when they call in to request access? > >> > >> In theory, if not practice, certificate revocation lists are > >> append-only. "Removing it" is not a supported operation. > > > > Another possible way to do this: > > > > Use --client-config-dir and --ccd-exclusive on the server. Now the server > > will only accept connections if the common name of the connection matches > > a (possibly empty) file in the --client-config-dir directory. So you can > > turn access on or off by simply creating and deleting this common name > > file. The one caveat here is that once you use --ccd-exclusive, it > > applies to all clients which will be connecting. If you only want to turn > > on/off access to a single common name but allow all others, I think a > > --tls-verify script is the way to go. > > A pretty simple new feature that would solve this quite nicely would be if > there was a directive one could put in a CCD file that would deny that > user access. > > That way you could have a normal setup running, and when you temporarly > want to block a user, you just create ccd file and add this directive for > that user. That's a good idea, and it's quite trivial to code. James ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |