git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Karl O. Pinc <kop@meme.com>
	Thu, 18 Feb 2010 20:30:48 +0000 (21:30 +0100)
committer	David Sommerseth <dazo@users.sourceforge.net>
	Thu, 18 Feb 2010 20:30:48 +0000 (21:30 +0100)
commit	22b055eb0888cefa86e0a6d4a34da6066873be45
tree	929f230c48f8a0ab7ce5096a7aec6c2ece9111d7	tree
parent	4880739c17b502d00a9ec45c6f6dd3e8bbff057f	commit \| diff

[PATCH] Change verify-cn so cn is no longer hardcoded in openvpn's config file

This patch should be easy to process.
A resubmission of the patch sent to this list on 04/23/2009.

The patch changes the verify-cn script sample
to be used with --tls-verify so that instead of having
to hardcode a cn to verify in the OpenVPN configuration file
the allowed cns may be written into a separate file.

This makes the process of verifying cns a whole
lot more dynamic, to the point where it is useful
in the real world.

One problem with this patch is that it is backwards
incompatible. I did not bother keeping the original
calling interface as A) it's a sample script, and B) the
original's functionality seems useless
and equalivant functionality is easily available
with the new script.

The problem with the original is that there seems
little point in verifying a client's cn when all
the clients share one cn, as would have to be
the case when the cn is hardcoded into the openvpn
config file.

This patch applies against the testing allmiscs branch,
and should apply against any of the other testing
branches as well.

It works for me. I've tested it throughly but not
used it extensively in production.

Regards,

Karl <kop@meme.com>

Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Eric F Crist <ecrist@secure-computing.net>