Menu
▾
▴
Re: [Openvpn-users] Re: Temporarily disabling client certificates
|
From: Mathias S. <ma...@ni...> - 2005-01-15 08:40:42
|
On Sat, 15 Jan 2005, James Yonan wrote: > On Fri, 14 Jan 2005, Charles Duffy wrote: > >> On Fri, 2005-01-14 at 23:04 -0500, Ed Ravin wrote: >>>> I'd use a tls-verify script to blacklist clients which have valid >>>> certificates but which aren't presently supposed to be able to connect. >>> >>> How about adding the vendor's cert to the revocation list, then removing >>> it when they call in to request access? >> >> In theory, if not practice, certificate revocation lists are >> append-only. "Removing it" is not a supported operation. > > Another possible way to do this: > > Use --client-config-dir and --ccd-exclusive on the server. Now the server > will only accept connections if the common name of the connection matches > a (possibly empty) file in the --client-config-dir directory. So you can > turn access on or off by simply creating and deleting this common name > file. The one caveat here is that once you use --ccd-exclusive, it > applies to all clients which will be connecting. If you only want to turn > on/off access to a single common name but allow all others, I think a > --tls-verify script is the way to go. A pretty simple new feature that would solve this quite nicely would be if there was a directive one could put in a CCD file that would deny that user access. That way you could have a normal setup running, and when you temporarly want to block a user, you just create ccd file and add this directive for that user. -- _____________________________________________________________ Mathias Sundman (^) ASCII Ribbon Campaign OpenVPN GUI for Windows X NO HTML/RTF in e-mail http://www.nilings.se/openvpn / \ NO Word docs in e-mail |
