Opened 14 years ago
Closed 14 years ago
#44 closed Feature Wish (fixed)
More Flexible TLS Verification for plugins
Reported by: | derek.ditch | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | beta 2.3 |
Component: | plug-ins / plug-in API | Version: | OpenVPN 2.1.0 / 2.1.1 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Plugins that implement OPENVPN_PLUGIN_TLS_VERIFY plugin type should be able to access the full X.509 certificate. This could be in addition to the currently provided environment variables. I would like to write/modify a plugin that can verify an X.509 certificate against an LDAP server. The problem is that I must meet the US Federal Government requirements of matching the Common Access Card certificates against the "NT Principal Name" attribute, which is under extension "Subject Alternative Name". Naturally, I could hack this into the OpenVPN source, but this environment variable wouldn't be useful to anyone outside the US Government. By providing plugin developers the full certificate, they may implement domain specific requirements as needed.
Without this ability, I cannot use OpenVPN for my network.
Change History (1)
comment:1 Changed 14 years ago by
Milestone: | → beta 2.3 |
---|---|
Resolution: | → fixed |
Status: | new → closed |
A brand new plug-in API has been added to solve this issue. It is available for testing via the 'allmerged' branch or the development snapshots.
This new API gives access to the complete X509 certificate in the OPENVPN_PLUGIN_TLS_VERIFY stage.
The relevant git commits are: