On Sat, 15 Jan 2005, Jason Haar wrote:
Mathias Sundman wrote:
You are right, it's a trivial problem, and this time I solved trivially by replacing the machine :-)
In this case their firewall only allowed a few given ports for outgoing traffic and they were not able to change the ruleset, so I'm running OpenVPN over TCP/443. I also currently don't have any NTP client in my firewalls, but I could of cource add one if I find this to be the solution. I just don't like the idea of having to trust having an NTP server available just to be able to start the VPN.
Do you really mean that static keys would be more secure, without PFS, than TLS without checking the start and expire date on the certificate?No - I mean you are wanting to BREAK a PKI feature in order to get around local circumstances. As such, I don't know if the security model of PKI can be said to hold any more. There is obviously an assumption in certificate key exchanges that involves timestamps. Disabling that may have serious repercussions (I don't know, I'm just saying "may").
Lets look at it from the other side. What I wanted was a simple point-to-point link that should be up ALWAYS. Pre-shared keys are perfect for this as OpenVPN is dumb enough to just send the packets without concering about what time it is!
But, then I wanted to take advantage of the re-keying and PFS features of TLS, but I still wanted it to be nearly as dumb as with pre-shared keys.
I can't see why removing the validity time check would have any other security impact than that the certificate is valid forever, which is just what I want (in this perticular case).
I'm not interested in a full blown PKI in this case. Look at it like I want to increase the security of a shared key setup instead.
What about getting a nearby machine to run NTP, and get this broken machine to point at that? We don't allow NTP access from our entire LAN to the Internet - just a few hosts. But all the rest of the LAN points at those few local hosts...
Exactly my point. Many sites don't allow NTP access though internet. The boxes I make (for this usage) should be seen as dumb routers, so I just don't want them to depend on any other services on the network.