Changeset 2180


Ignore:
Timestamp:
Sep 19, 2012, 3:27:29 PM (7 years ago)
Author:
matthijs
Message:

luci-openvpn: Revoke client certificates when removing them.

Before, when removing an OpenVPN client, its certificates where simply
removed. However, since the OpenVPN server allows access to anyone with
a valid certificate, even if it no longer has the certificate file
itself, this means that a client would still be able to log in after it
was removed through the webgui.

Additionally, when a client was removed, no client could be added again
with the same name, since pkitool insists on having unique names for all
certificates.

By actively revoking the certificate before removing it, which causes
a reference to the certificate be stored in the certificate revocation
list that OpenVPN checks for every connection, both of the above
problems are fixed.

This commit imports the revoke-full script from the OpenVPN sources,
modified to include /etc/openvpn/vars instead of relying on that file to
be included by the caller (just like with the pkitool script).

Closes: #1208

Location:
trunk
Files:
2 added
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/fon/openvpn/files/etc/config/openvpn

    r1547 r2180  
    1111        option key /etc/openvpn/keys/Fonera.key
    1212        option dh /etc/openvpn/keys/dh1024.pem
     13        option crl_verify crl.pem
    1314        option server "10.8.0.0 255.255.255.0"
    1415        option ifconfig_pool_persist /tmp/ipp.txt
  • trunk/luci/applications/luci-openvpn/luasrc/controller/openvpn.lua

    r1634 r2180  
    7777        end
    7878        http.redirect(luci.dispatcher.build_url("fon_admin", "openvpn"))
     79        -- Revoke the certificate, so the client really can't login
     80        -- anymore (and we can regenerate a client with the same name
     81        -- later on).
     82        os.execute("/usr/sbin/revoke-full "..section)
    7983        os.execute("rm -rf /etc/openvpn/keys/"..client..".*")
    8084        local uci = require("luci.model.uci").cursor()
Note: See TracChangeset for help on using the changeset viewer.