dns interceptors

Stefan Bethke stb at lassitu.de
Mon Feb 15 01:28:04 CST 2010


Am 15.02.2010 um 04:29 schrieb Randy Bush:

> and i presume i have to dump all client.crt files in the server's
> ../openvpn dir, but under what names?  or does it just wantonly trust
> anyone under that ca?

Any cert signed by that CA.  Use --cclient-config-dir to limit which CNs are acceptable, and to add custom configs per client on the server.  On the client, use --tls-remote to limit which CN the client will accept when connecting to the server.

On the server, you can also roll your own script to inspected the certificate presented by the client, and act on that.


Stefan

-- 
Stefan Bethke <stb at lassitu.de>   Fon +49 151 14070811







More information about the NANOG mailing list