[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: Temporarily disabling client certificates

  • Subject: Re: [Openvpn-users] Re: Temporarily disabling client certificates
  • From: Ed Ravin <eravin@xxxxxxxxx>
  • Date: Fri, 14 Jan 2005 23:54:51 -0500

On Fri, Jan 14, 2005 at 10:35:47PM -0600, Charles Duffy wrote:
> On Fri, 2005-01-14 at 23:04 -0500, Ed Ravin wrote:
> > > I'd use a tls-verify script to blacklist clients which have valid
> > > certificates but which aren't presently supposed to be able to connect.
> > 
> > How about adding the vendor's cert to the revocation list, then removing
> > it when they call in to request access?
> In theory, if not practice, certificate revocation lists are
> append-only. "Removing it" is not a supported operation.

I admit that I haven't worked with CRLs before, but isn't the CRL
in the same format say, as a root cert file for a web server,
containing multiple certificates and optional comments between them?
Why couldn't you edit that?  Will the X.509 police bust your door
down or something?

Since he's only making this change at the server, can't he just
add the "--crl-verify FILE" option and remove it when needed, or
replace FILE with a different file and restart openvpn?  That seems
easier to me than writing a special-purpose script.

The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list