-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello Gert, thanks for your reply. Am 01.04.14 15:39, schrieb Gert Doering: > Hi, > > On Tue, Apr 01, 2014 at 01:15:01PM +0000, Bonno Bloksma wrote: >> If so I would like to be able to disable it for just 1 client >> via a ccd file for instance. That way I do not have to restart >> the entire service and would not compromise any other >> connection. > > You can't do this on the server, as it's the client who checks the > cert validity (for the server cert - the server check's the > validity of the client cert, but if the server clock is right, it > will be fine). > > As the client checks the server certificate before doing anything > else, like "trust information handed out by the server", there is > not anything the server can do here. > You`re right. The client checks the certificate time previously, not the server. > (What OpenWRT does to work around this issue is to periodically > save a timestamp to a file, and on boot, ensure that the time is > not earlier than this timestamp - if it's earlier, set the time to > that, if later, leave it alone. Precisely for such cases, with > embedded systems with no hardware clock, and possibly unreachable > ntp servers for whatever reason...) That`s sounds for me as a good workaround. Thanks for the hint. Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTOsiyAAoJEFF6fE6T32A84HsH/32+YUH0BcUWbYw4ycCD3Lxc UNVY+ssWhfVef1KNrP2HrDHaMZY6hX0WJMTxko2GNuRh0t9ll9UOZvNyJH1VkO1y w7k+vw6dtBBXKx2f80hR/UUmGcUY1MTIvqErab+fH9kkBUx8unuhsIOU5o71pDZK DnAmBNWIwzAmCR5lsbNCLAGLCie+hrpPPRVxyqx3RAz2dIpDUlq1ygtmErysadeF YfsqoFXCco8ZBrz911JMoCyLY2KaLrWKgCJ/uX51lm6oSbU8TbXnxdzj6+B+lVku AJWoE42hRRirD0KvZ/w7ZiHigq6Dbyjd9e22PYlUtqQEaeulb3vGwisqW1ks8gg= =sV4p -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
