remote-cert-tls + verify-x509-name

OpenVPN / openvpn3

OpenVPN 3 is a C++ class library that implements the functionality of an OpenVPN client, and is protocol-compatible with the OpenVPN 2.x branch.

https://openvpn.net

Other

977 stars 386 forks source link

remote-cert-tls + verify-x509-name #12

Closed jwsi closed 4 years ago

jwsi commented 7 years ago

Hey there,

Upon inspection, the remote-cert-tls directive has no effect in configurations. You can use remote-cert-tls server or remote-cert-tls client without any effects being observed so no checks seem to be taking place. remote-cert-ku and remote-cert-eku seem to be working well along with ns-cert-type (which is now deprecated).

Furthermore, verify-x509-name doesn't even seem to be recognised as an option.

James

mattock commented 7 years ago

I'm not very familiar with OpenVPN 3, but I know it only implements a subset of the configuration options that are available in OpenVPN 2. Some options like remote-cert-tls might be compatibility shims to allow loading a wider range of OpenVPN configuration files. That said, I'm purely guessing here.

dsommers commented 7 years ago

That is correct, @mattock. There are some options which have not been implemented in OpenVPN 3. We want to reduce this feature gap for those options which it makes sense to let live further (we have a lot of obscure options which we might not need any more). Both --remote-cert-tls and --verify-x509-name are really a strong candidates for getting a port.

dsommers commented 6 years ago

Just following up on this one. I've checked that --remote-cert-tls is supported in the current master branch. See openvpn/ssl/kuparse.hpp:68 for details.

jwsi commented 6 years ago

@dsommers now that the --remote-cert-tls directive is ported do you know if there are any plans to include --verify-x509-name too?

dsommers commented 6 years ago

Yes, --verify-x509-name is on our todo list. I don't have an ETA, but I will most likely look into in not too far future.

AnthonyWharton commented 4 years ago

Spotted some commits (7bd55e0a7b56ba443f55b6760ee341aa22e7ed0b) that add this functionality, thanks a lot!

Will give it a test in due course, however I thought I'd just leaving a friendly bump about this issue in case it is closeable!

dsommers commented 4 years ago

That's correct! I've been testing this in openvpn3-linux, with good success so far. It got a peer-review during our OpenVPN Hackathon last week, just forgot to update this ticket.

The complete list of commits required is: 7bd55e0a - mbedtls: Add support for --verify-x509-name ae6bf893 - mbedtls: Add unit tests for x509_get_subject() and x509_get_common_name() fc060bd3 - mbedtls: Move x509_get_subject() and x509_get_common_name() to an independent file 7900c71f - mbedtls: Add missing include file in x509cert.hpp 61ba6e9c - openssl: Add unit tests for OpenSSLPKI::x509get*() functions 5f881fe7 - openssl: Move generic X.509 cert extraction code to a separate file 58398692 - openssl: Add --verify-x509-name support 71a14a35 - verify-x509-name: Implement base class for processing this option