LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-06-2010, 01:19 PM   #1
idlehands
Member
 
Registered: Mar 2010
Distribution: zLinux, RHEL, Ubuntu, SUSE
Posts: 50

Rep: Reputation: 16
OpenVPN openssl and OCSP


I have openVPN working with a thirdparty CA, and validating UID entries from the client certificates in LDAP groups.

My next step is to figure out OCSP to make sure revoked certificates are denied.

I could dump out my CRL as a nightly job, but that of course presents a window where a revoked certificate is still valid.

Anyone know how to dump out client certificate back to pem format? For the ldap check all i was using was the DN, which doesn't really help me for openssl/ocsp

Thanks
 
Old 04-06-2010, 10:26 PM   #2
affinity
Member
 
Registered: Nov 2009
Distribution: Slackware64
Posts: 132

Rep: Reputation: 20
I don't have a solution to your problem, but since you are already doing a workaround by dumping them each night perhaps you can do it regularly through the day until you find a better solution?
 
Old 04-07-2010, 05:49 AM   #3
idlehands
Member
 
Registered: Mar 2010
Distribution: zLinux, RHEL, Ubuntu, SUSE
Posts: 50

Original Poster
Rep: Reputation: 16
Unfortunately as the revoked list grows, and more users use the CA, dumping the CRL to a flat file will have several issues.
 
Old 04-08-2010, 05:33 AM   #4
beadyallen
Member
 
Registered: Mar 2008
Location: UK
Distribution: Fedora, Gentoo
Posts: 209

Rep: Reputation: 36
Hi idlehands,

I'm not really sure what you mean by 'dump a certificate back to PEM format'. AFAIK .pem is just a base 64 encoded certificate wrapped in '---- BEGIN-CERTIFICATE-----' tags. This should be simple to do. I probably don't understand what you mean.

As for OCSP, it looks like openvpn doesn't support it natively, although I'd have thought it would be a useful patch. Maybe talk to the developers (or make your own patch).

Alternatively (and this is me thinking out loud, i.e. untested), perhaps you could implement a simple FUSE filesystem that does the lookup and exposes the results as a file to be passed to OpenVPN. As you've previously mentioned Perl, have a look at Fuse::Simple on CPAN. You could write a script that first queries your OCSP provider and grabs the current CRL(s) (using openssl for example, I couldn't see a pre-built CPAN module for OCSP). Then make that data available in a 'file' mounted somewhere. Just point 'crl-verify' in OpenVPN at that file. I've not done it with CRLs before, but I have used Fuse::Simple for 'dynamic' readonly config files with data from LDAP and MySQL databases. I find it simpler than a full blown database filesystem like LDAPfs or MySQLfs.

Also, it would probably be useful to know a little more about your setup. How many clients and servers? Hub or mesh based etc. etc. There are probably subtleties that make a simple transfer of a standard CRL file unsuitable, but I would have thought the VPN would have to get pretty big before you'd need to worry about using something dynamic as described above. Afterall, usually only the server(s) need access to the CRL as clients shouldn't be connecting to each other.

Hope that helps.
 
Old 04-09-2010, 07:18 AM   #5
idlehands
Member
 
Registered: Mar 2010
Distribution: zLinux, RHEL, Ubuntu, SUSE
Posts: 50

Original Poster
Rep: Reputation: 16
beadyallen,
At one point according to google at least, there was an ocsp patch floating around for OpenVPN. As clients connect to the OpenVPN server, I can check their certificate DN as that is exposed. I'm currently using the client certificate DN to match against a group in ldap. Since any user in this infrastructure can request a certificate from the CA based on their user DN, but not every user with a valid certificate should get to the private VPN than is setup with OpenVPN.

To do an OCSP lookup, I need more than just the cert DN though, I need the actual certificate exposed.

My issue with dumping the CRL and then using crl-verify in open vpn is purely because that would be a slice in time of the CRL, and over time I suspect the CRL is going to grow very large. Depending on what other labs start noticing this little project in my corporation, there could potentially be several users with several OpenVPNs all trying to dump out the CRL to validate the status of client certificates.

What I'm looking for is how to get ahold of the client certificate as its passed to the OpenVPN server, not just the DN.

I don't know how to answer the rest of your questions. I did not setup the OpenVPN server, I was just enabling it work with a new internal CA. I don't see how the architecture of the OpenVPN networking matters however. One thing to note, is that the number of certificates being signed by the CA in this infrastructure is at least 100-1000x the size of the number of openvpn clients, hence my concerns with screwing around with moving a crl
 
Old 04-12-2010, 11:02 AM   #6
beadyallen
Member
 
Registered: Mar 2008
Location: UK
Distribution: Fedora, Gentoo
Posts: 209

Rep: Reputation: 36
Okay, I get what you want now. The patch here works fine against openvpn-2.1_rc21 on my gentoo box, and it looks simple enough to work against others. It should do what you want.
I would say though that (IMHO) you might want to re-think things. As I understand it, you're having to revoke almost all the certificates generated by your CA. This seems very inefficient and will, as you point out, generate a very big CRL quickly. Would it not be possible to have a separate CA for the VPN? When a certificate is issued that needs VPN, have the CSR signed by the VPN's CA. The patch should work though if you want to stick with your setup.

Good luck.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How does OpenVPN Linux server issues IP and netmask to OpenVPN clients on Windows XP pssompura Linux - Networking 0 12-24-2009 02:42 AM
oops openssl-0.9.8e over openssl-0.9.8d bad install now 2 copies? rcorkum Slackware 4 06-29-2007 01:58 AM
Help with OpenVPN on Slackware (and using OpenSSL) sauce Slackware 8 03-08-2007 02:39 AM
Error in openVPN client GUI about openssl sailershen Linux - Security 1 01-26-2006 07:24 PM
making openvpn secure with openssl ( ? ) antken Linux - Networking 1 03-31-2004 09:14 AM


All times are GMT -5. The time now is 11:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration