[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Disable time-checking of certificates


  • Subject: Re: [Openvpn-users] Disable time-checking of certificates
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Sat, 15 Jan 2005 14:14:25 +0100 (CET)

On Sat, 15 Jan 2005, Jason Haar wrote:

Mathias Sundman wrote:


Just configure NTP and be done with it. Make sure that NTP starts before OpenVPN and you'll be set.


It might have been a way to go, however, one of the boxes was supposed to be installed behind a customers firewall, where I couldn't be sure services like NTP would be available.


...but you can be sure OpenVPN ports are open??? If they have opened up OpenVPN, then they can open up NTP.


I don't want to sound preachy - but you have a heinously "trivial" problem (as in: wanting a clock to be correct within 24 hours!?!?), a famously standard answer (NTP), and can't get it to happen.

You are right, it's a trivial problem, and this time I solved trivially by replacing the machine :-)


In this case their firewall only allowed a few given ports for outgoing traffic and they were not able to change the ruleset, so I'm running OpenVPN over TCP/443. I also currently don't have any NTP client in my firewalls, but I could of cource add one if I find this to be the solution. I just don't like the idea of having to trust having an NTP server available just to be able to start the VPN.

Do you really mean that static keys would be more secure, without PFS, than TLS without checking the start and expire date on the certificate?

No - I mean you are wanting to BREAK a PKI feature in order to get around local circumstances. As such, I don't know if the security model of PKI can be said to hold any more. There is obviously an assumption in certificate key exchanges that involves timestamps. Disabling that may have serious repercussions (I don't know, I'm just saying "may").

It seems to me you are bending over too far backwards to try to fix this problem. I don't think that is the "problem" to fix :-)

Lets look at it from the other side. What I wanted was a simple point-to-point link that should be up ALWAYS. Pre-shared keys are perfect for this as OpenVPN is dumb enough to just send the packets without concering about what time it is!


But, then I wanted to take advantage of the re-keying and PFS features of TLS, but I still wanted it to be nearly as dumb as with pre-shared keys.

I can't see why removing the validity time check would have any other security impact than that the certificate is valid forever, which is just what I want (in this perticular case).

I'm not interested in a full blown PKI in this case. Look at it like I want to increase the security of a shared key setup instead.


What about getting a nearby machine to run NTP, and get this broken machine to point at that? We don't allow NTP access from our entire LAN to the Internet - just a few hosts. But all the rest of the LAN points at those few local hosts...

Exactly my point. Many sites don't allow NTP access though internet. The boxes I make (for this usage) should be seen as dumb routers, so I just don't want them to depend on any other services on the network.


/Mathias


------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users