[Openvpn-devel] Patch for a new tls-export-cert option

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

Here is a tiny patch which add to OpenVPN a new option "tls-export-cert" :

--tls-export-cert [directory] : Get peer cert in PEM format and store it 
in an openvpn temporary file in [directory]. Peer cert is stored 
*before* tls-verify script execution and deleted *after*.
The peer cert temporary file name is send to tls-verify script by an 
environement variable named "peer_cert".

This new option may be usefull to add some check into tls-verify script.

For example, if you have a PKI with more than one CA, you can handle a 
full CRL check with -crl_check_all openssl option. Here is an example of 
tls-verify script :

#!/bin/sh

# All CRL are in /etc/openvpn/capath directory
RESULT=`openssl verify -CApath /etc/openvpn/capath -crl_check_all 
-verbose $peer_cert 2>&1`

# Is CRL check OK ?
echo $RESULT | grep -qE "$peer_cert: OK"
if [ $? -eq 0 ]
then
        echo "openssl verify successed : $RESULT"
        exit 0
fi

# CRL verification failed
exit 1

Regards,

Mat

[Openvpn-devel] Patch for a new tls-export-cert option

Robust and flexible VPN network tunnelling

[Openvpn-devel] Patch for a new tls-export-cert option