From patchwork Tue Sep 8 05:41:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1428 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id sP9cNIqmV184PQAAIUCqbw (envelope-from ) for ; Tue, 08 Sep 2020 11:43:06 -0400 Received: from proxy12.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id aCsuNIqmV18JHAAAovjBpQ (envelope-from ) for ; Tue, 08 Sep 2020 11:43:06 -0400 Received: from smtp3.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.ord1d.rsapps.net with LMTPS id yKquM4qmV1+TDQAA7PHxkg (envelope-from ) for ; Tue, 08 Sep 2020 11:43:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: fc0262b8-f1e9-11ea-bbef-842b2b47481a-1-1 Received: from [216.105.38.7] ([216.105.38.7:36618] helo=lists.sourceforge.net) by smtp3.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 33/2F-02642-986A75F5; Tue, 08 Sep 2020 11:43:05 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kFfl6-0005J5-1F; Tue, 08 Sep 2020 15:42:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kFfl4-0005Iw-31 for openvpn-devel@lists.sourceforge.net; Tue, 08 Sep 2020 15:42:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=yoG3409myWcmprm/1tQPf7IkJSe87/JPXuggP3hyomI=; b=V1/ybVyuptrFlvkfZj9w9AAF6e 3I98L3cGFZAxjt3vmYMOrpOSfDmrMvgR+7GQz9mPHGQ7AMn+unPcvHm/ZM+2Q9SZBase4HN5Xu3HH eXqCF4LR5F/8QnF5nuTzEFyuWf7iHV5ayOElt42d5D6tSimVR0DCNu3ONwy1hIDFqf7s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=yoG3409myWcmprm/1tQPf7IkJSe87/JPXuggP3hyomI=; b=B5AAcDhQgU2lqBuQaoARTVV4vc 8hs1HzvNA9sSR3PSO8WwHtPqW5e5mhbyHkNSxDkVpCvSyu876yb+chuTFFnkLrYBrAzHmhRlf1mnn CHpSh8zlRSLG1FWl9x/LH/DdM/FzuOxAatuBO3au1Le6lIV+punwK3+eeHtZVBtZi54Q=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1kFfkz-00H6QT-1q for openvpn-devel@lists.sourceforge.net; Tue, 08 Sep 2020 15:42:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kFfkr-0002sv-Pn for openvpn-devel@lists.sourceforge.net; Tue, 08 Sep 2020 17:41:57 +0200 Received: (nullmailer pid 13854 invoked by uid 10006); Tue, 08 Sep 2020 15:41:57 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 8 Sep 2020 17:41:53 +0200 Message-Id: <20200908154157.13809-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1kFfkz-00H6QT-1q Subject: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Setting up a CA even with the help of easy-tls and similar tools is difficult/tiresome. For small setups self-signed certificates are sufficient enough and restarting the server to add another client is generally not a big problem (when you need that capability a CA is better suited). This patch set allows setting up OpenVPN with verification of peer certificates and without a CA certificate. Instead of verifying certificates through a CA, it allows to verify a certificate just by it fingerprint. This is usually called certificate pinning. (If you wonder if this secure, it is as secure as normal CA operation as certificate signature also only sign the finerprinter of a certificate and not the whole cert.) The commit themselves have examples. The main difference of this patch set to Jason's V1 version is that it does not rely on an external script on the server side and instead relys on an a inlined section. The downside is that this requires a server restart on adding a client but the upside is that no script-security or external scripts are necessary and server/client setup become symmetric. Arne Schwabe (3): Extend verify-hash to allow multiple hashes Implement peer-fingerprint to check fingerprint of peer certificate Document the simple self-signed certificate setup in examples Jason A. Donenfeld (1): Support fingerprint authentication without CA certificate Changes.rst | 12 +++ doc/man-sections/examples.rst | 46 ++++++---- doc/man-sections/inline-files.rst | 4 +- doc/man-sections/tls-options.rst | 36 +++++++- src/openvpn/init.c | 3 + src/openvpn/options.c | 145 +++++++++++++++++++++++++----- src/openvpn/options.h | 13 ++- src/openvpn/ssl.c | 2 +- src/openvpn/ssl_common.h | 4 +- src/openvpn/ssl_verify.c | 30 +++++-- src/openvpn/ssl_verify_mbedtls.c | 17 ++++ src/openvpn/ssl_verify_openssl.c | 2 +- 12 files changed, 263 insertions(+), 51 deletions(-)