[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Disable time-checking of certificates


  • Subject: Re: [Openvpn-users] Disable time-checking of certificates
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Sat, 15 Jan 2005 12:47:39 -0700 (MST)


On Sat, 15 Jan 2005, Mathias Sundman wrote:

> On Sat, 15 Jan 2005, Jason Haar wrote:
> 
> > Mathias Sundman wrote:
> >
> >>> 
> >>> Just configure NTP and be done with it. Make sure that NTP starts 
> >>> before OpenVPN and you'll be set.
> >> 
> >> 
> >> It might have been a way to go, however, one of the boxes was supposed 
> >> to be installed behind a customers firewall, where I couldn't be sure 
> >> services like NTP would be available.
> >> 
> >
> > ...but you can be sure OpenVPN ports are open??? If they have opened up 
> > OpenVPN, then they can open up NTP.
> >
> > I don't want to sound preachy - but you have a heinously "trivial" problem 
> > (as in: wanting a clock to be correct within 24 hours!?!?), a famously 
> > standard answer (NTP), and can't get it to happen.
> 
> You are right, it's a trivial problem, and this time I solved trivially by 
> replacing the machine :-)
> 
> In this case their firewall only allowed a few given ports for outgoing 
> traffic and they were not able to change the ruleset, so I'm running 
> OpenVPN over TCP/443. I also currently don't have any NTP client in my 
> firewalls, but I could of cource add one if I find this to be the 
> solution. I just don't like the idea of having to trust having an NTP 
> server available just to be able to start the VPN.

If the machine has web access, here's a simple script I sometimes use to 
generate a date command to set the clock:

#!/usr/bin/perl

# Output a 'date' command to set the current time (GMT)
# using www.time.gov as a time source.
#
# Requires: curl

$url = "http://www.time.gov/timezone.cgi?UTC/s/0";;

$pid = open(FILE, "curl --silent $url |") or die "fork failed: $!\n";

while (<FILE>) {
    if (/>(\d\d:\d\d:\d\d)</) {
        $time = $1;
    }
}
close(FILE);
if ($time) {
    print "date --set=$time\n";
}
###########

> >> Do you really mean that static keys would be more secure, without PFS, than 
> >> TLS without checking the start and expire date on the certificate?
> >> 
> > No - I mean you are wanting to BREAK a PKI feature in order to get around 
> > local circumstances. As such, I don't know if the security model of PKI can 
> > be said to hold any more. There is obviously an assumption in certificate key 
> > exchanges that involves timestamps. Disabling that may have serious 
> > repercussions (I don't know, I'm just saying "may").
> >
> > It seems to me you are bending over too far backwards to try to fix this 
> > problem. I don't think that is the "problem" to fix :-)
> 
> Lets look at it from the other side. What I wanted was a simple 
> point-to-point link that should be up ALWAYS. Pre-shared keys are perfect 
> for this as OpenVPN is dumb enough to just send the packets without 
> concering about what time it is!

Even static keying uses replay protection which depends on the time.

You will trigger the replay filter if you restart OpenVPN twice, and if on 
the second restart, the system time is earlier than it was on the first 
restart.

Another possibility: set the clock manually, use a script to save the 
current time on system shutdown, and reset the system time from the saved 
value on startup.  This approach will obviously lose some time when the 
system is rebooted, but it's good enough for OpenVPN.

James



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users