3

When a user is connected to my OpenVPN server would I like to extract the ID of the clients certificate.

The purpose is to write a script that will prevent users from sharing their certificates with others. Right now any certificate will work with any valid LDAP user.

When I set script-security 3, which seams to give the most info to the env variable, I see the variables at the bottom of this post (actual values removed). As far as I can tell, nothing in there can be tied to the certificate the user used.

Question

How do I get hold of the client's certificate/key ID, so I can match it against /etc/openvpn/easy-rsa/2.0/keys/*{.crt,.csr,.key}? The filename is the LDAP username.

E.g.

/etc/openvpn/easy-rsa/2.0/keys/bob.crt
/etc/openvpn/easy-rsa/2.0/keys/bob.csr
/etc/openvpn/easy-rsa/2.0/keys/bob.key

Dump of env variable

X509_1_OU=
common_name=
route_gateway_1=
ifconfig_remote=
untrusted_ip=
ifconfig_local=
proto_1=
tls_serial_1=
tls_serial_0=
tun_mtu=
X509_1_emailAddress=
tls_id_0=
X509_1_L=
tls_id_1=
X509_1_O=
password=
script_type=
verb=
username=
local_port_1=
config=
X509_0_CN=
dev=
auth_control_file=
X509_1_C=
X509_1_ST=
route_network_1=
remote_port_1=
PWD=
route_net_gateway=
daemon=
X509_1_name=
untrusted_port=
SHLVL=
script_context=
route_vpn_gateway=
route_netmask_1=
daemon_start_time=
X509_0_ST=
daemon_pid=
X509_1_CN=
X509_0_OU=
X509_0_emailAddress=
daemon_log_redirect=
X509_0_C=
X509_0_L=
link_mtu=
X509_0_O=
Sandra Schlichting
  • 25,050
  • 33
  • 110
  • 162
  • OpenVPN's dumping seems to be faulty. Provide a redacted output of `openssl x509 -in certificate.pem -text -noout`. I guess/predict the user name should be extracted from the Common Name part of the subject of the certificate. – daxim Feb 10 '12 at 18:45
  • Thanks for pointing that out. I have removed the actual values from the output, and only kept the variable names. updated the post. – Sandra Schlichting Feb 10 '12 at 18:47
  • So, not common_name or username? – Ivo Feb 10 '12 at 18:57
  • @Ivo : I have now tried to change CN in the clients crt file to something else, and `common_name` is still the same. Does this mean, that `common_name` is encoded in the `crt` file, and the client can't just change/fake this? – Sandra Schlichting Feb 10 '12 at 19:02
  • 1
    @SandraSchlichting the `crt` is signed by the `key`. You can't change the `crt` without generating a new `csr` and signing it with the `key` again. I'm not an expert authority, so I don't know which, but there should be some fields that the client can't change without breaking the certificate's validation. Looking at the [wiki page](http://en.wikipedia.org/wiki/X.509#Structure_of_a_certificate), It would seem to me you can't change the Subject attributes (`CN`, etc). – Ivo Feb 10 '12 at 19:19
  • @Ivo If you post that as answer, then I will accept it as solution. – Sandra Schlichting Feb 11 '12 at 17:58

1 Answers1

1

The crt is signed by the key. You can't change the crt without generating a new csr and signing it with the key again. I'm not an expert authority, so I don't know which, but there should be some fields that the client can't change without breaking the certificate's validation. Looking at the wiki page, It would seem to me you can't change the Subject attributes (CN, etc).

So if you're validating user bob, with bob.crt, then make sure in the certificate the CN is bob. Matching all three of these should mean that bob is logging in with his own certificate.

Ivo
  • 5,378
  • 2
  • 18
  • 18