[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] auth-user-pass-verify security problem?

  • Subject: Re: [Openvpn-users] auth-user-pass-verify security problem?
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Mon, 13 Dec 2004 15:34:39 -0700 (MST)

On Mon, 13 Dec 2004, Didier Conchaudron wrote:

> Hi all,
> I was wondering why the directive auth-user-pass-verify is executed when 
> the peer connection is still untrusted? (like it's written in the man page)

That's not completely true.  The auth-user-pass-verify script is only
executed on the username/password of an untrusted peer if you are not
using certificate verification as well, i.e. if you have the
--client-cert-not-required flag set.

If you are using double authentication, i.e. certificates AND 
--auth-user-pass-verify, then the certificate verification and optional 
--tls-verify script will be run before the --auth-user-pass-verify script.

So when using certificates, you can be assured that the certificate
verification has succeeded before the --auth-user-pass-verify script
and/or plugin is run.


Openvpn-users mailing list