[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: Temporarily disabling client certificates

  • Subject: Re: [Openvpn-users] Re: Temporarily disabling client certificates
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Sat, 15 Jan 2005 00:39:47 -0700 (MST)

On Fri, 14 Jan 2005, Charles Duffy wrote:

> On Fri, 2005-01-14 at 23:04 -0500, Ed Ravin wrote:
> > > I'd use a tls-verify script to blacklist clients which have valid
> > > certificates but which aren't presently supposed to be able to connect.
> > 
> > How about adding the vendor's cert to the revocation list, then removing
> > it when they call in to request access?
> In theory, if not practice, certificate revocation lists are
> append-only. "Removing it" is not a supported operation.

Another possible way to do this:

Use --client-config-dir and --ccd-exclusive on the server.  Now the server
will only accept connections if the common name of the connection matches
a (possibly empty) file in the --client-config-dir directory.  So you can
turn access on or off by simply creating and deleting this common name
file.  The one caveat here is that once you use --ccd-exclusive, it
applies to all clients which will be connecting.  If you only want to turn
on/off access to a single common name but allow all others, I think a
--tls-verify script is the way to go.


The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list