|
|
On Thu, 2 Sep 2004, Mathias Sundman wrote: > On Wed, 25 Aug 2004, hallian hallian wrote: > > > I have seen the popup windows for "connect" and "disconnect." > > > > But when I revoke a certificate for a user on the server, the server log > > display "user cert has been revoked" but how can we display a similar > > message as "PLease contact your Administrator" on the OPENVPN GUI. I > > have noticed it keeps going and trying in an infinite loop. Are we > > suppose to see a unsuccessful pop window? Just wondering a road warrior > > could be staring at the screen for some time...... without seeing any > > error messages. > > I took a closer look at this. And it's just like you say. The OpenVPN > server logs that the certificate is revoked, but the client don't seem to > be notified of this. Atleast nothing is logged about this. > > James, would it be possible for the server to notify the client that the > certificate has been revoked, so a log message can be printed on the > client? Right now, OpenVPN doesn't have any authentication-failed handshake. When one side of the connection is unable to authenticate the other side, it resets its state, essentially dropping the TLS handshake. This behavior ensures security, as there is no failure handshake for an attacker to exploit. The downside, of course, is that there is no positive indication of authentication failure from the server which is rejecting the certificate to the client which presented it -- only a repeating loop of authentication attempts which never succeed. The best solution would be if there was a way for side A (client) of the connection to determine that side B (server) has reset its state due to the authentication failure of A without requiring any specific message from B to A. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |