On Sat, 15 Jan 2005, James Yonan wrote:
On Fri, 14 Jan 2005, Charles Duffy wrote:
On Fri, 2005-01-14 at 23:04 -0500, Ed Ravin wrote:
I'd use a tls-verify script to blacklist clients which have valid
certificates but which aren't presently supposed to be able to connect.
How about adding the vendor's cert to the revocation list, then removing
it when they call in to request access?
In theory, if not practice, certificate revocation lists are
append-only. "Removing it" is not a supported operation.
Another possible way to do this:
Use --client-config-dir and --ccd-exclusive on the server. Now the server
will only accept connections if the common name of the connection matches
a (possibly empty) file in the --client-config-dir directory. So you can
turn access on or off by simply creating and deleting this common name
file. The one caveat here is that once you use --ccd-exclusive, it
applies to all clients which will be connecting. If you only want to turn
on/off access to a single common name but allow all others, I think a
--tls-verify script is the way to go.
A pretty simple new feature that would solve this quite nicely would be if
there was a directive one could put in a CCD file that would deny that
That way you could have a normal setup running, and when you temporarly
want to block a user, you just create ccd file and add this directive for
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail