[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: Temporarily disabling client certificates

  • Subject: Re: [Openvpn-users] Re: Temporarily disabling client certificates
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Sat, 15 Jan 2005 09:33:53 +0100 (CET)

On Sat, 15 Jan 2005, James Yonan wrote:

On Fri, 14 Jan 2005, Charles Duffy wrote:

On Fri, 2005-01-14 at 23:04 -0500, Ed Ravin wrote:
I'd use a tls-verify script to blacklist clients which have valid
certificates but which aren't presently supposed to be able to connect.

How about adding the vendor's cert to the revocation list, then removing it when they call in to request access?

In theory, if not practice, certificate revocation lists are append-only. "Removing it" is not a supported operation.

Another possible way to do this:

Use --client-config-dir and --ccd-exclusive on the server.  Now the server
will only accept connections if the common name of the connection matches
a (possibly empty) file in the --client-config-dir directory.  So you can
turn access on or off by simply creating and deleting this common name
file.  The one caveat here is that once you use --ccd-exclusive, it
applies to all clients which will be connecting.  If you only want to turn
on/off access to a single common name but allow all others, I think a
--tls-verify script is the way to go.

A pretty simple new feature that would solve this quite nicely would be if there was a directive one could put in a CCD file that would deny that user access.

That way you could have a normal setup running, and when you temporarly want to block a user, you just create ccd file and add this directive for that user.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail