Hi,
On 25/05/18 03:41, Simon Rozman wrote:
Private and public key are still used. The patch stil uses
certificates and TLS, it only replaces the check certificate of the
peer's certificate against the CA with a hash check (certificate
pinning if you want).
So basically instead of saying that you trust all certificates signed
by a CA, you only trust only those certifcates of which have hashes. A
certificate pinning of an unknown CA is exactly the same. Since you
cannot verify that certificate you add a one off certificate in your
list of trusted certificates.
Correct me if I'm wrong, but this approach allows for self-signed
certificates
too, right?
Exactly! Client and server can use whatever certificate they like or make a
self-signed one. All they need to do is to exchange their fingerprints over
some trustworthy channel.
Simple. Like SSH.
for the record: this is not entirely the same as SSH. What happens when
establishing an SSH connection to a new server is that you send the
*public key* to the server, not a hash; similarly the server sends its
public key to the client. The client needs to accept this new key,
otherwise the connection is aborted. For public/priv authentication to
work, the server must know the public key of the client (listed in the
authorized_keys file) , otherwise the user is prompted for a password.
Thus, for SSH a 'trustworthy channel' consists of the user typing 'y'
when connecting to a new server and the server accepting a
username+password upon first connection from a client.
To implement a similar feature in OpenVPN would require a way to send
only the public key upon TLS initialisation, and these public keys would
then need to be stored/listed on the server somewhere. Probably
possible, but a different approach then to what is proposed above. I'd
be (slightly) in favour of sending public keys instead of hashes, BTW,
as it them more closely mimicks what SSH does.
JM2CW,
JJK
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
