Hi Michael, I don't pretend to be a crypto guru, but as long as the client's certificate is signed by the server's CA it is good to go as long as it is not revolked in some way. Removing the server's copy of the client's credentials does not prevent client certificate authentication.
Given that, it would be possible to delete client credentials and always do a client CommonName match via the OpenVPN hook to the remaining allowed. Though there would be the danger of some time later creating a client CN matching an old deleted one. It's been my understanding that using a CRL (or OpenVPN verify hook) is the best way to handle 'invalid' certificates. At this point it has not been a problem (that I know of), and displaying a complete list of valid and invalid clients may be useful. Lonnie On Aug 2, 2013, at 3:05 PM, Michael Knill wrote: > Lonnie just wanting to understand why disabling is better than removing it. > Would you not give the credentials to a single user only and revoke when they > leave the organisation? Is my thinking wrong here? > After a period of time, the list could get quite unmanageable when people > come and go. > > Regards > Michael Knill > > > > > On 02/08/2013, at 11:10 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote: > >> Hi Michael(s), >> >> The OpenVPN Server tab allows specific clients to be disabled (Client >> Certificates and Keys: section), not a CRL but basically does the same with >> OpenVPN's hooks. >> >> Removing a client from the list would not be good, as it was created and may >> have been distributed, disabling it keeps it from connecting. >> >> Lonnie >> >> >> On Aug 2, 2013, at 2:09 AM, Michael Keuter wrote: >> >>> >>> Am 02.08.2013 um 08:55 schrieb Michael Knill >>> <michael.kn...@ipcsolutions.com.au>: >>> >>>> To the group >>>> >>>> I set up a number of OpenVPN users for one of my customers and am >>>> interested to know if there are any plans for enabling the deletion of >>>> user certs and keys from the web GUI? >>> >>> That would be a nice addition, I would also have use for it. >>> >>>> Also is there any options with OpenVPN for a username and password only >>>> rather than certificate? I realise its not as secure! >>> >>> No, only cert alone or cert plus user/password. >>> >>>> Regards >>>> Michael Knill >>> >>> Michael >>> >>> http://www.mksolutions.info ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
