[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!


  • Subject: Re: [Openvpn-users] "--askpass file" is evil!
  • From: Jon Bendtsen <jon.bendtsen@xxxxxxxxxx>
  • Date: Fri, 3 Dec 2004 13:37:06 +0100

Den 3. dec 2004, kl. 13:23, skrev Jean-Pierre Schwickerath:



Storing a passphrase in a file, especially for roadwarriors is
tantamount to writing it on a sticky note. It defeats the whole point
of their being a knowledge aspect to the authentication. Locking a
door with two keys instead of one isn't much use if both keys are on
the same ring.

Every decent program storing certificates should allow the user to decrypt his/her certificate with the password supplied by the CA and then reencrypt it with a passphrase chosen by the user.

And openssl does this. However, due to a bug, which i tried to report,
this might result in a 0 byte sized file. The problem is that if a user does
not type the same password twice, the file is destroyed, probably because
once you type in the old password, and it matches, then openssl deletes
the content of the file, and only writes it again if it matches.




JonB


____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users