[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Disable time-checking of certificates

  • Subject: Re: [Openvpn-users] Disable time-checking of certificates
  • From: Jason Haar <Jason.Haar@xxxxxxxxxxxxx>
  • Date: Sat, 15 Jan 2005 14:01:23 +1300

Mathias Sundman wrote:

However, I ran inte problems because the hardware clock in one of the machines was malfunctional, so the time was reset each time the machine was rebooted.

This caused the openvpn connection to fail because the issued certificates were not yet valid.

Just configure NTP and be done with it. Make sure that NTP starts before OpenVPN and you'll be set.

[I'm assuming these are Unix boxes. If they were Windows, you'd have even more reason to have clocks in sync - Kerberos in Active Directory is *extremely* unhappy with out-of-whack clocks...]

If you can't do this for some reason - don't use certs. Part of the extra security associated with certificates is the extra formality of constraints they work under - trying to disable those constraints (like checking times) is reducing the security of certificates in an unsupported manner - you might even end up with something less secure than you thought (e.g. it might open OpenVPN up to replay attacks)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list