On 24 Jun 2002, Jan Johansson wrote: > On Sun, 2002-06-23 at 09:18, James Yonan wrote: > > Hello Pat, > > > > I think it's a good idea, something we're considering for the next release. > > I would like to have some info then on how to stop accepting a certain > client certificate, since I base my "expirations" on stopping the port > in question in case I no longer want a specific certificate to be able > to connect to the network. I mean, of course the one-port-per-person > will work after such an addition, but for folks that get in later.
One way to stop accepting a certain client certificate is to write a --tls-verify script to check the certificate fields. As far as ports are concerned, I am thinking that a forking server implementation of OpenVPN would listen for incoming connections on a fixed port, but then switch over to a dynamic port to finalize initialization of the session. There are still a number of design issues that need to be worked out such as: (1) How do you fork on new clients without opening yourself up to DoS attacks? In order to be secure, the server would need to statelessly authenticate the initial packet before forking. Tricky, because SSL/TLS requires a multi-packet exchange to authenticate. (2) How does the server know which return routes to set up for the client, without requiring an --up script on the server for every client that might connect? The client could send its routes to the server as part of the initial authentication exchange, but there would need to be verification machinery to ensure that that client could not attack the server by sending it malformed routes. If anyone else has ideas on how to securely implement a forking-server, please share them with the list. James
