nanog mailing list archives

Re: dns interceptors

From: Stefan Bethke <stb () lassitu de>
Date: Mon, 15 Feb 2010 08:28:04 +0100

Am 15.02.2010 um 04:29 schrieb Randy Bush:

and i presume i have to dump all client.crt files in the server's
../openvpn dir, but under what names?  or does it just wantonly trust
anyone under that ca?


Any cert signed by that CA.  Use --cclient-config-dir to limit which CNs are acceptable, and to add custom configs per 
client on the server.  On the client, use --tls-remote to limit which CN the client will accept when connecting to the 
server.

On the server, you can also roll your own script to inspected the certificate presented by the client, and act on that.


Stefan

-- 
Stefan Bethke <stb () lassitu de>   Fon +49 151 14070811

Current thread:

Re: dns interceptors [SEC=UNCLASSIFIED], (continued)
- - - Re: dns interceptors [SEC=UNCLASSIFIED] Jay Hennigan (Feb 13)
- Re: dns interceptors charles (Feb 14)
  - Re: dns interceptors Randy Bush (Feb 14)
- Re: dns interceptors charles (Feb 14)
  - Re: dns interceptors Randy Bush (Feb 14)
    - Re: dns interceptors Larry Brower (Feb 14)
    - Re: dns interceptors Randy Bush (Feb 14)
    - Re: dns interceptors Larry Brower (Feb 14)
    - Re: dns interceptors Scott Howard (Feb 14)
    - Re: dns interceptors Randy Bush (Feb 14)
    - Re: dns interceptors Stefan Bethke (Feb 14)
- Re: dns interceptors charles (Feb 14)