|
|
Vladimir Ilic <vladojko@xxxxxxxxx> said:
>
> >
> > Now change "--tls-verify false" to "--tls-verify true" and both sides
> > authenticate.
> >
> > James
> >
> >
> Thanks James,
>
> It works now, I made stupid mistake, in my script i did echo 0, instead exit
> 0 - I thought I have to send 0 to the standard output, and in fact exit code
> of the script has to be 0 :)
>
> But now I found some other problem. I created certificates for few machines,
> and I am using tls-verify option to check if the CN inside certificate is ok.
> In the script I am checking the value of $tls_id_0 enviroment variable. If
> clients are alowed to authenticate, it works fine. From the moment when first
> non-authorized client is trying to connect, value of $tls_id_0 does not change
> any more - for each next proper client my authentication script gets same
> value for $tls_id_0 which non-authorized client had, and result is that no
> more clients can establish the connection. After I allow non-authorized client
> to connect, in that moment $tls_id_0 start getting correct values each time
> the authentication script is invoked.
>
>
> Also, I noticed that for each connection, tls-verify script is invoked 2
> times. Is that normal?
Yes, the tls-verify script is called once for each certificate depth level in
the certificate chain.
See the man page, or better yet look at the verify_callback function in ssl.c.
In that function, that certificate depth level will be denoted by
ctx->error_depth.
> Once when disabled client is again allowed to connect,
> and I connect with some other client, in the first execution of tls-verify
> script $tls_id_0 is set to the old bad value, and because that disabled client
> is now alowed to connect, tls-verify script returns 0. In the second
> execution, $tls_id_0 get correct value from the client which is currently
> connecting.
> Looks like a bug? Just to mention that all this is happening without
> restarting the server, and that I am using beta 9 version. I will compile beta
> 10 and give it try as well.
I don't think it's a bug. I think that you're not correctly understanding the
way that the tls-verify script gets called multiple times, once for each
certificate depth level. I will grant you, though, even though the man page
mentions the certificate_depth parameter, it is not documented to the degree
that it probably should be.
Basically what you want to do in your tls-verify script is parse out the first
parameter (certificate_depth) which will be a positive integer which we will
call n.
Now you can access tls_id_{n} or tls_serial_{n}, because those values will
have been set before the tls-verify script is called.
On the other hand, if n == 1 and you try to access tls_serial_0, you may be
accessing stale data, left over from the last restart!
James
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|