LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   OpenVPN openssl and OCSP (https://www.linuxquestions.org/questions/linux-networking-3/openvpn-openssl-and-ocsp-800401/)

idlehands 04-06-2010 01:19 PM
OpenVPN openssl and OCSP
 
I have openVPN working with a thirdparty CA, and validating UID entries from the client certificates in LDAP groups.

My next step is to figure out OCSP to make sure revoked certificates are denied.

I could dump out my CRL as a nightly job, but that of course presents a window where a revoked certificate is still valid.

Anyone know how to dump out client certificate back to pem format? For the ldap check all i was using was the DN, which doesn't really help me for openssl/ocsp

Thanks

affinity 04-06-2010 10:26 PM
I don't have a solution to your problem, but since you are already doing a workaround by dumping them each night perhaps you can do it regularly through the day until you find a better solution?

idlehands 04-07-2010 05:49 AM
Unfortunately as the revoked list grows, and more users use the CA, dumping the CRL to a flat file will have several issues.

beadyallen 04-08-2010 05:33 AM
Hi idlehands,

I'm not really sure what you mean by 'dump a certificate back to PEM format'. AFAIK .pem is just a base 64 encoded certificate wrapped in '---- BEGIN-CERTIFICATE-----' tags. This should be simple to do. I probably don't understand what you mean.

As for OCSP, it looks like openvpn doesn't support it natively, although I'd have thought it would be a useful patch. Maybe talk to the developers (or make your own patch).

Alternatively (and this is me thinking out loud, i.e. untested), perhaps you could implement a simple FUSE filesystem that does the lookup and exposes the results as a file to be passed to OpenVPN. As you've previously mentioned Perl, have a look at Fuse::Simple on CPAN. You could write a script that first queries your OCSP provider and grabs the current CRL(s) (using openssl for example, I couldn't see a pre-built CPAN module for OCSP). Then make that data available in a 'file' mounted somewhere. Just point 'crl-verify' in OpenVPN at that file. I've not done it with CRLs before, but I have used Fuse::Simple for 'dynamic' readonly config files with data from LDAP and MySQL databases. I find it simpler than a full blown database filesystem like LDAPfs or MySQLfs.

Also, it would probably be useful to know a little more about your setup. How many clients and servers? Hub or mesh based etc. etc. There are probably subtleties that make a simple transfer of a standard CRL file unsuitable, but I would have thought the VPN would have to get pretty big before you'd need to worry about using something dynamic as described above. Afterall, usually only the server(s) need access to the CRL as clients shouldn't be connecting to each other.

Hope that helps.

idlehands 04-09-2010 07:18 AM
beadyallen,
At one point according to google at least, there was an ocsp patch floating around for OpenVPN. As clients connect to the OpenVPN server, I can check their certificate DN as that is exposed. I'm currently using the client certificate DN to match against a group in ldap. Since any user in this infrastructure can request a certificate from the CA based on their user DN, but not every user with a valid certificate should get to the private VPN than is setup with OpenVPN.

To do an OCSP lookup, I need more than just the cert DN though, I need the actual certificate exposed.

My issue with dumping the CRL and then using crl-verify in open vpn is purely because that would be a slice in time of the CRL, and over time I suspect the CRL is going to grow very large. Depending on what other labs start noticing this little project in my corporation, there could potentially be several users with several OpenVPNs all trying to dump out the CRL to validate the status of client certificates.

What I'm looking for is how to get ahold of the client certificate as its passed to the OpenVPN server, not just the DN.

I don't know how to answer the rest of your questions. I did not setup the OpenVPN server, I was just enabling it work with a new internal CA. I don't see how the architecture of the OpenVPN networking matters however. One thing to note, is that the number of certificates being signed by the CA in this infrastructure is at least 100-1000x the size of the number of openvpn clients, hence my concerns with screwing around with moving a crl

beadyallen 04-12-2010 11:02 AM
Okay, I get what you want now. The patch here works fine against openvpn-2.1_rc21 on my gentoo box, and it looks simple enough to work against others. It should do what you want.
I would say though that (IMHO) you might want to re-think things. As I understand it, you're having to revoke almost all the certificates generated by your CA. This seems very inefficient and will, as you point out, generate a very big CRL quickly. Would it not be possible to have a separate CA for the VPN? When a certificate is issued that needs VPN, have the CSR signed by the VPN's CA. The patch should work though if you want to stick with your setup.

Good luck.


All times are GMT -5. The time now is 07:20 AM.