[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] auth-user-pass-verify security problem?

  • Subject: Re: [Openvpn-users] auth-user-pass-verify security problem?
  • From: Didier Conchaudron <didier@xxxxxxxxxxxxxxx>
  • Date: Tue, 14 Dec 2004 10:00:51 +0100

James Yonan wrote:
On Mon, 13 Dec 2004, Didier Conchaudron wrote:

Hi all,

I was wondering why the directive auth-user-pass-verify is executed when the peer connection is still untrusted? (like it's written in the man page)

That's not completely true. The auth-user-pass-verify script is only executed on the username/password of an untrusted peer if you are not using certificate verification as well, i.e. if you have the --client-cert-not-required flag set.

If you are using double authentication, i.e. certificates AND --auth-user-pass-verify, then the certificate verification and optional --tls-verify script will be run before the --auth-user-pass-verify script.

So when using certificates, you can be assured that the certificate
verification has succeeded before the --auth-user-pass-verify script
and/or plugin is run.


mmm, that's completely clear now, thanks James.


Openvpn-users mailing list