Am 17.05.21 um 19:16 schrieb tincantech: > Hi, > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Wednesday, 12 May 2021 14:15, Arne Schwabe <a...@rfc2549.org> wrote: > >> This is meant to give new users a quickstart for a useable OpenVPN >> setup. Our own documentation is lacking in this regard and many often >> tutorials that can be found online are often questionable in some >> aspects. > > > I believe Openvpn in standard mode (Full PKI) would reject an expired > client certificate. > > Note: There is absolutely nothing in the manual to confirm this ! > https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html > On that page there are eight uses of the word 'expire' and they all > relate to an expired auth-token, this could also probably be improved. > > However, Openvpn in peer-fingerprint mode allows an expired client > certificate to connect. > > The client log *does* have a 'WARNING: Your certificate has expired!' > The server log has nothing about an expired client certificate. > And, as we all know, _who reads their log files_ anyway ? > > The issue here is that the server allows an expired client certificate > to connect and there is no mention of this change in behaviour.
Yes. We just trust the fingerprint of the certificate. The behaviour to ignore expiry is a side effect of that. It is kinda designed to be this way. Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
