Please note that the other side should detect the expiration. Hence, if you revoke the client certificate the server should report this and vice versa. Please also make sure that both sides using the same functionality.
On 10/9/08, Jason R. Coombs <jar...@jaraco.com> wrote: > Alon, > I've tested the client functionality and the basic functionality > works great > (not testing against expired or revoked certificates). > > I then created a test for expired certs (incorrectly) by specifying an > expired _client_ certificate. Curiously, OpenVPN did not complain about the > expired client certificate, but rather proceeded to attempt a connection with > it (which subsequently failed to establish TLS I suspect because the server > didn't have the corresponding public cert). So I think I may have discovered > a limitation of the pre-existing cryptoapicert function. > > So to recap: > > Cryptoapicert client mode: fails to verify expired cert. > Cryptoapica client mode: works! > Cryptoapica client mode expired/revoked cert: untested > Cryptoapica server mode: untested > > I'm in a conference this week, but will continue to test as time > permits. > > > Jason > > -----Original Message----- > From: Alon Bar-Lev [mailto:alon.bar...@gmail.com] > > Sent: Tuesday, 07 October, 2008 16:56 > To: Jason R. Coombs > > Cc: Faidon Liambotis; openvpn-devel@lists.sourceforge.net > Subject: Re: [Openvpn-devel] [PATCH v4] Use CryptoAPI CA store (was Re: > [PATCH > v3] Use CryptoAPI CA store) > > Binaries are at [1]. > > It is not enough to test it on client, we need to verify that the > validation works correctly on both ends, as capi has different policy > for servers and clients. > > Alon. > > [1] http://alon.barlev.googlepages.com/openvpn-mscapi-test-1.tar.bz2 > > On 10/7/08, Jason R. Coombs <jar...@jaraco.com> wrote: > > Faidon, > > > > If you send me a binary build for Windows 32-bit, I'll test it against > > expired > > and revoked certs. I presume I don't need a server configured for this > > test; > > it should fail client side before attempting to connect? > > > > > > Jason > > > > > > -----Original Message----- > > From: Faidon Liambotis [mailto:parav...@debian.org] > > Sent: Tuesday, 07 October, 2008 15:53 > > To: Alon Bar-Lev > > Cc: Jason R. Coombs; openvpn-devel@lists.sourceforge.net > > Subject: Re: [Openvpn-devel] [PATCH v4] Use CryptoAPI CA store (was Re: > > [PATCH > > v3] Use CryptoAPI CA store) > > > > > > Hi, > > > > Alon Bar-Lev wrote: > > > On 9/27/08, Alon Bar-Lev <alon.bar...@gmail.com> wrote: > > >> I prefer to receive patches... > > >> Anyway, this is not exactly what I meant. > > >> Please review latest head. > > >> I did not test this, but it should be correct now as far as the > > >> changes are concerned. > > >> It may not work as the validation process was never tested. > > > > > > Any news? > > Thanks for reviving this. I built it and tried it and seems to work. > > I didn't test with revoked or expired certificates, however. > > > > As for warnings there's just a trivial one: > > cryptoapi.c:429: warning: passing arg 2 of `d2i_X509' from > > incompatible pointer type > > > > Regards, > > Faidon > > > > ------------------------------------------------------------------------- > > This SF.Net email is sponsored by the Moblin Your Move Developer's > > challenge > > Build the coolest Linux based applications with Moblin SDK & win great > > prizes > > Grand prize is a trip for two to an Open Source event anywhere in the > world > > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > _______________________________________________ > > Openvpn-devel mailing list > > Openvpn-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > > > > > > >
