nanog mailing list archives
Re: dns interceptors
From: Stefan Bethke <stb () lassitu de>
Date: Mon, 15 Feb 2010 08:28:04 +0100
Am 15.02.2010 um 04:29 schrieb Randy Bush:
and i presume i have to dump all client.crt files in the server's ../openvpn dir, but under what names? or does it just wantonly trust anyone under that ca?
Any cert signed by that CA. Use --cclient-config-dir to limit which CNs are acceptable, and to add custom configs per client on the server. On the client, use --tls-remote to limit which CN the client will accept when connecting to the server. On the server, you can also roll your own script to inspected the certificate presented by the client, and act on that. Stefan -- Stefan Bethke <stb () lassitu de> Fon +49 151 14070811
Current thread:
- Re: dns interceptors [SEC=UNCLASSIFIED], (continued)
- Re: dns interceptors [SEC=UNCLASSIFIED] Jay Hennigan (Feb 13)
- Re: dns interceptors charles (Feb 14)
- Re: dns interceptors Randy Bush (Feb 14)
- Re: dns interceptors charles (Feb 14)
- Re: dns interceptors Randy Bush (Feb 14)
- Re: dns interceptors Larry Brower (Feb 14)
- Re: dns interceptors Randy Bush (Feb 14)
- Re: dns interceptors Larry Brower (Feb 14)
- Re: dns interceptors Randy Bush (Feb 14)
- Re: dns interceptors Scott Howard (Feb 14)
- Re: dns interceptors Randy Bush (Feb 14)
- Re: dns interceptors Stefan Bethke (Feb 14)