Project

General

Profile

Feature #887

Add an option for stricter OpenVPN ssl/tls+user auth checking

Added by Jim Pingle almost 9 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
09/10/2010
Due date:
% Done:

100%

Estimated time:

Description

Currently, we don't verify that the common name of the certificate matches the username being used for login. This means that if someone has a valid server certificate, they can then use any valid username/password combination to get into the server. This may be good for some scenarios, but in more strict environments it wouldn't be acceptable.

We should add a checkbox on the OpenVPN server configuration for this scenario to allow users to enable the more strict checks.

The auth-user-pass-verify script we have could read this setting and run the test before querying the backend authentication server.

Associated revisions

Revision 8901958c (diff)
Added by Jim Pingle almost 9 years ago

Add backend code to verify username against cn on login if set by user. Needs GUI code to set the option yet. Ticket #887

Revision 94823361 (diff)
Added by Jim Pingle almost 9 years ago

Add GUI checkbox to enable strict username/common name matching for SSL/TLS+User Auth mode. Fixes #887

History

#1 Updated by Jim Pingle almost 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Chris Buechler over 8 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF