Hi, I ran into problems in using --tls-verify to verify the remote host with --chroot enabled. --tls-verify runs the verify script with system() command, so it assumes that /bin/sh is available. Usually, in a chroot environment, that's not true.
I implemented a new config option: --tls-remote x509name With --tls-remote the remote host is verified by looking at the X509 name. If the remote X509 name doesn't match the given x509name, the remote host is rejected. With --tls-remote, it's possible to verify remote host even with a completely empty chroot directory. --tls-remote also removes the need for an external --tls-verify script in most cases. Config example: tls-remote /O=exampleorg/CN=name I have tested the patch with a TLS tunnel on Debian Woody. A patch against OpenVPN 1.5 beta12 is available at: http://iki.fi/teemuki/openvpn/1.5_beta12-tlsremote.diff Feel free to use it. :) Teemu
signature.asc
Description: PGP signature
