]> git.ipfire.org Git - thirdparty/openvpn.git/commit
projects / thirdparty / openvpn.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e5e9a07) | patch
Support fingerprint authentication without CA certificate
authorJason A. Donenfeld <Jason@zx2c4.com>
Mon, 22 Mar 2021 09:14:14 +0000 (10:14 +0100)
committerGert Doering <gert@greenie.muc.de>
Mon, 22 Mar 2021 10:00:50 +0000 (11:00 +0100)
commit423ced962db3129b4ed551c489624faba4340652
tree639197a697061481388749ae9dfc40d05ba5feaetree
parente5e9a07e8baee4065b7dfd65736bfa77b8329cfccommit | diff
Support fingerprint authentication without CA certificate

OpenVPN traditionally works around CAs. However many TLS-based protocols
also
allow an alternative simpler mode in which rather than verify certificates
against CAs, the certificate itself is hashed and compared against a
pre-known set of acceptable hashes. This is usually referred to as
"fingerprint verification". It's popular across SMTP servers, IRC servers,
XMPP servers, and even in the context of HTTP with pinning.

   * Allow not specifying the --ca parameter, to specify that
     certificates should not be checked against a CA.

I've included some instructions on how to use all of this.

Server side:
============

Make self-signed cert:
$ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout
serverkey.pem -out servercert.pem -nodes -sha256 -days 3650 -subj
'/CN=server'

Record our fingerprint in an environment variable for the client to use
later:
$ server_fingerprint="$(openssl x509 -in servercert.pem -noout -sha256
-fingerprint | sed 's/.*=//;s/\(.*\)/\1/')"

Client side:
============
Make self-signed cert:
$ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout
clientkey.pem -out clientcert.pem -nodes -sha256 -days 3650 -subj
'/CN=client'

Record our fingerprint in an environment variable for the server to use
later:
$ client_fingerprint="$(openssl x509 -in clientcert.pem -noout -sha256
-fingerprint | sed 's/.*=//;s/\(.*\)/\1/')"

Start server/client
===================

Start openvpn with peer fingerprint verification:

$ sudo openvpn --server 10.66.0.0 255.255.255.0 --dev tun --dh none --cert
servercert.pem --key serverkey.pem --peer-fingerprint "$client_fingerprint"

$ sudo openvpn --client --remote 127.0.0.1 --dev tun --cert clientcert.pem
--key clientkey.pem --peer-fingerprint "$server_fingerprint" --nobind

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Patch V2: Changes in V2 (by Arne Schwabe):
          - Only check peer certificates, not all cert levels, if you need
            multiple levels of certificate you should use a real CA
          - Use peer-fingerprint instead tls-verify on server side in
example.
          - rename variable ca_file_none to verify_hash_no_ca
          - do no require --ca none but allow --ca simply
            to be absent when --peer-fingprint is present
          - adjust warnings/errors messages to also point to
            peer-fingerprint as valid verification method.
          - Fix mbed TLS version of not requiring CA
            not working

Patch v3: Fix minor style. Remove unessary check of verify_hash_no_ca in
ssl.c.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210322091414.7533-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20210322091414.7533-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
src/openvpn/init.c diff | blob | blame | history
src/openvpn/options.c diff | blob | blame | history
src/openvpn/options.h diff | blob | blame | history
src/openvpn/ssl_common.h diff | blob | blame | history
src/openvpn/ssl_verify_mbedtls.c diff | blob | blame | history
src/openvpn/ssl_verify_openssl.c diff | blob | blame | history
Mirror of https://github.com/OpenVPN/openvpn.git