[122467] in North American Network Operators' Group
Re: dns interceptors
daemon@ATHENA.MIT.EDU (Stefan Bethke)
Mon Feb 15 02:28:28 2010
From: Stefan Bethke <stb@lassitu.de>
In-Reply-To: <m24olj18j2.wl%randy@psg.com>
Date: Mon, 15 Feb 2010 08:28:04 +0100
To: Randy Bush <randy@psg.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Am 15.02.2010 um 04:29 schrieb Randy Bush:
> and i presume i have to dump all client.crt files in the server's
> ../openvpn dir, but under what names? or does it just wantonly trust
> anyone under that ca?
Any cert signed by that CA. Use --cclient-config-dir to limit which CNs =
are acceptable, and to add custom configs per client on the server. On =
the client, use --tls-remote to limit which CN the client will accept =
when connecting to the server.
On the server, you can also roll your own script to inspected the =
certificate presented by the client, and act on that.
Stefan
--=20
Stefan Bethke <stb@lassitu.de> Fon +49 151 14070811
