Opened 14 years ago
Closed 13 years ago
#44 closed Feature Wish (fixed)
More Flexible TLS Verification for plugins
| Reported by: | derek.ditch | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | beta 2.3 |
| Component: | plug-ins / plug-in API | Version: | OpenVPN 2.1.0 / 2.1.1 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
Plugins that implement OPENVPN_PLUGIN_TLS_VERIFY plugin type should be able to access the full X.509 certificate. This could be in addition to the currently provided environment variables. I would like to write/modify a plugin that can verify an X.509 certificate against an LDAP server. The problem is that I must meet the US Federal Government requirements of matching the Common Access Card certificates against the "NT Principal Name" attribute, which is under extension "Subject Alternative Name". Naturally, I could hack this into the OpenVPN source, but this environment variable wouldn't be useful to anyone outside the US Government. By providing plugin developers the full certificate, they may implement domain specific requirements as needed.
Without this ability, I cannot use OpenVPN for my network.
Change History (1)
comment:1 Changed 13 years ago by
| Milestone: | → beta 2.3 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
A brand new plug-in API has been added to solve this issue. It is available for testing via the 'allmerged' branch or the development snapshots.
This new API gives access to the complete X509 certificate in the OPENVPN_PLUGIN_TLS_VERIFY stage.
The relevant git commits are:
commit 2db5a0ac3e053857d97e468de53e70a605f54561 Author: David Sommerseth <dazo@users.sourceforge.net> Date: Fri Dec 10 01:16:09 2010 +0100 Extend the v3 plug-in API to send over X509 certificates The certificates sent to the plug-in API will only happen during the OPENVPN_PLUGIN_TLS_VERIFY phase and will contain a pointer to the OpenSSL X509 certificate data. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>commit 0a55fcef98e38c213e8629b3baa3730ee1182005 Author: David Sommerseth <dazo@users.sourceforge.net> Date: Fri Dec 10 01:20:43 2010 +0100 Added a simple plug-in demonstrating the v3 plug-in API. To build the plug-in, do ./build log_v3 in the plugin/examples directory. This plug-in can be tested by running an OpenVPN server like this: # ./openvpn --plugin plugin/examples/log_v3.so --dev tun \ --server 192.168.240.0 255.255.255.0 --ca sample-keys/ca.crt \ --cert sample-keys/server.crt --key sample-keys/server.key \ --dh sample-keys/dh1024.pem The client can be started like this: # ./openvpn --client --remote localhost --ca sample-keys/ca.crt \ --cert sample-keys/client.crt --key sample-keys/client.key \ --dev tun --nobind --auth-user-pass This plug-in will only log arguments and environment variables it receives during all the different plug-in phases OpenVPN currently supports. It will also parse the X509 certificate information given during the TLS_VERIFY phase. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>