How to extract client certificate info from OpenVPN?
https://stackoverflow.com/questions/9232773
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
When a user is connected to my OpenVPN server would I like to extract the ID of the clients certificate.
The purpose is to write a script that will prevent users from sharing their certificates with others. Right now any certificate will work with any valid LDAP user.
When I set script-security 3, which seams to give the most info to the env variable, I see the variables at the bottom of this post (actual values removed). As far as I can tell, nothing in there can be tied to the certificate the user used.
Question
How do I get hold of the client's certificate/key ID, so I can match it against /etc/openvpn/easy-rsa/2.0/keys/*{.crt,.csr,.key}? The filename is the LDAP username.
E.g.
/etc/openvpn/easy-rsa/2.0/keys/bob.crt
/etc/openvpn/easy-rsa/2.0/keys/bob.csr
/etc/openvpn/easy-rsa/2.0/keys/bob.key
Dump of env variable
X509_1_OU=
common_name=
route_gateway_1=
ifconfig_remote=
untrusted_ip=
ifconfig_local=
proto_1=
tls_serial_1=
tls_serial_0=
tun_mtu=
X509_1_emailAddress=
tls_id_0=
X509_1_L=
tls_id_1=
X509_1_O=
password=
script_type=
verb=
username=
local_port_1=
config=
X509_0_CN=
dev=
auth_control_file=
X509_1_C=
X509_1_ST=
route_network_1=
remote_port_1=
PWD=
route_net_gateway=
daemon=
X509_1_name=
untrusted_port=
SHLVL=
script_context=
route_vpn_gateway=
route_netmask_1=
daemon_start_time=
X509_0_ST=
daemon_pid=
X509_1_CN=
X509_0_OU=
X509_0_emailAddress=
daemon_log_redirect=
X509_0_C=
X509_0_L=
link_mtu=
X509_0_O=
Solução
The crt is signed by the key. You can't change the crt without generating a new csr and signing it with the key again. I'm not an expert authority, so I don't know which, but there should be some fields that the client can't change without breaking the certificate's validation. Looking at the wiki page, It would seem to me you can't change the Subject attributes (CN, etc).
So if you're validating user bob, with bob.crt, then make sure in the certificate the CN is bob. Matching all three of these should mean that bob is logging in with his own certificate.
