[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Disable time-checking of certificates


  • Subject: Re: [Openvpn-users] Disable time-checking of certificates
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Sat, 15 Jan 2005 08:15:28 +0100 (CET)

On Sat, 15 Jan 2005, Jason Haar wrote:

Mathias Sundman wrote:

However, I ran inte problems because the hardware clock in one of the machines was malfunctional, so the time was reset each time the machine was rebooted.

This caused the openvpn connection to fail because the issued certificates were not yet valid.


Just configure NTP and be done with it. Make sure that NTP starts before OpenVPN and you'll be set.

It might have been a way to go, however, one of the boxes was supposed to be installed behind a customers firewall, where I couldn't be sure services like NTP would be available.



[I'm assuming these are Unix boxes. If they were Windows, you'd have even more reason to have clocks in sync - Kerberos in Active Directory is *extremely* unhappy with out-of-whack clocks...]

Linux only.

If you can't do this for some reason - don't use certs. Part of the extra security associated with certificates is the extra formality of constraints they work under - trying to disable those constraints (like checking times) is reducing the security of certificates in an unsupported manner - you might even end up with something less secure than you thought (e.g. it might open OpenVPN up to replay attacks)

Do you really mean that static keys would be more secure, without PFS, than TLS without checking the start and expire date on the certificate?


As it was a pure point to point link, I have no hugh amount of certs issued, that I can lose control over so they need to expire. If the box is compromized, the cert is revoked. I'd probably even setup a whole new CA if that would happend.

I don't know about opening up OpenVPN for replay attaks. I duoubt it will be a result of not time-checking the certificate, but might result from the non-synced clocks in first place, so maybe this is the reason why I have to use machines with working clocks, or NTP.

Can someone confirm that non-synced clocks will give this kind of problems? Once the machine is booted up, the system clock is working fine, so time will not drift more than normal once the tunnel is established. The time is just very un-synced.

/Mathias


------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users