[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Disable time-checking of certificates


  • Subject: Re: [Openvpn-users] Disable time-checking of certificates
  • From: Jason Haar <Jason.Haar@xxxxxxxxxxxxx>
  • Date: Sat, 15 Jan 2005 23:32:29 +1300

Mathias Sundman wrote:


Just configure NTP and be done with it. Make sure that NTP starts before OpenVPN and you'll be set.


It might have been a way to go, however, one of the boxes was supposed to be installed behind a customers firewall, where I couldn't be sure services like NTP would be available.


...but you can be sure OpenVPN ports are open??? If they have opened up OpenVPN, then they can open up NTP.


I don't want to sound preachy - but you have a heinously "trivial" problem (as in: wanting a clock to be correct within 24 hours!?!?), a famously standard answer (NTP), and can't get it to happen.


Do you really mean that static keys would be more secure, without PFS, than TLS without checking the start and expire date on the certificate?


No - I mean you are wanting to BREAK a PKI feature in order to get around local circumstances. As such, I don't know if the security model of PKI can be said to hold any more. There is obviously an assumption in certificate key exchanges that involves timestamps. Disabling that may have serious repercussions (I don't know, I'm just saying "may").

It seems to me you are bending over too far backwards to try to fix this problem. I don't think that is the "problem" to fix :-)

What about getting a nearby machine to run NTP, and get this broken machine to point at that? We don't allow NTP access from our entire LAN to the Internet - just a few hosts. But all the rest of the LAN points at those few local hosts...

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users