Opened 10 years ago

Closed 9 years ago

#44 closed Feature Wish (fixed)

More Flexible TLS Verification for plugins

Reported by: derek.ditch Owned by:
Priority: major Milestone: beta 2.3
Component: plug-ins / plug-in API Version: OpenVPN 2.1.0 / 2.1.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Plugins that implement OPENVPN_PLUGIN_TLS_VERIFY plugin type should be able to access the full X.509 certificate. This could be in addition to the currently provided environment variables. I would like to write/modify a plugin that can verify an X.509 certificate against an LDAP server. The problem is that I must meet the US Federal Government requirements of matching the Common Access Card certificates against the "NT Principal Name" attribute, which is under extension "Subject Alternative Name". Naturally, I could hack this into the OpenVPN source, but this environment variable wouldn't be useful to anyone outside the US Government. By providing plugin developers the full certificate, they may implement domain specific requirements as needed.

Without this ability, I cannot use OpenVPN for my network.

Change History (1)

comment:1 Changed 9 years ago by David Sommerseth

Milestone: beta 2.3
Resolution: fixed
Status: newclosed

A brand new plug-in API has been added to solve this issue. It is available for testing via the 'allmerged' branch or the development snapshots.

This new API gives access to the complete X509 certificate in the OPENVPN_PLUGIN_TLS_VERIFY stage.

The relevant git commits are:

commit 2db5a0ac3e053857d97e468de53e70a605f54561
Author: David Sommerseth <dazo@users.sourceforge.net>
Date:   Fri Dec 10 01:16:09 2010 +0100

    Extend the v3 plug-in API to send over X509 certificates
    
    The certificates sent to the plug-in API will only happen during the
    OPENVPN_PLUGIN_TLS_VERIFY phase and will contain a pointer to the OpenSSL
    X509 certificate data.
    
    Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
    Acked-by: James Yonan <james@openvpn.net>
commit 0a55fcef98e38c213e8629b3baa3730ee1182005
Author: David Sommerseth <dazo@users.sourceforge.net>
Date:   Fri Dec 10 01:20:43 2010 +0100

    Added a simple plug-in demonstrating the v3 plug-in API.
    
    To build the plug-in, do ./build log_v3 in the plugin/examples directory.
    
    This plug-in can be tested by running an OpenVPN server like this:
    
     # ./openvpn --plugin plugin/examples/log_v3.so --dev tun \
                 --server 192.168.240.0 255.255.255.0 --ca sample-keys/ca.crt \
                 --cert sample-keys/server.crt --key sample-keys/server.key \
                 --dh sample-keys/dh1024.pem
    
    The client can be started like this:
    
     # ./openvpn --client --remote localhost --ca sample-keys/ca.crt \
                 --cert sample-keys/client.crt --key sample-keys/client.key \
                 --dev tun --nobind --auth-user-pass
    
    This plug-in will only log arguments and environment variables it receives
    during all the different plug-in phases OpenVPN currently supports.  It will
    also parse the X509 certificate information given during the TLS_VERIFY phase.
    
    Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
    Acked-by: James Yonan <james@openvpn.net>
Note: See TracTickets for help on using tickets.