[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] 2.0 Feature Freeze Discussion

  • Subject: Re: [Openvpn-users] 2.0 Feature Freeze Discussion
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Fri, 3 Dec 2004 08:32:18 -0500

On Fri, 3 Dec 2004 14:08:44 +0100, Jean-Pierre Schwickerath
<lists@xxxxxxxxxxxx> wrote:
> >
> > Maybe I didn't word that clearly enough, but last I tried it, which
> > was a version or two back now, one server instance would support one
> > at a time of: TLS, or username/pass, or TLS+username/pass.  It
> > wouldn't do combinations of TLS and username/pass as alternatives.
> Oh, I understand...
> Indeed, you're right. There is no way to make openvpn fall back on
> username/password if the authentication with the client certificate
> fails.

Ouch.  So if the certificate fails then the user can just use an
easily obtained ID and password combination?  Security controls should
be in serial not parallel.  In parallel the weakest link allows the
other secure links to be bypassed.  I would argue against this as it
breaks security best practices.

*Not* what I want with a VPN solution.

Leonard Isham, CISSP 
Ostendo non ostento

Openvpn-users mailing list