From fliu at tiger.openqnx.com  Wed Apr  2 07:33:10 2025
From: fliu at tiger.openqnx.com (Frank Liu)
Date: Wed,  2 Apr 2025 07:33:10 -0700 (PDT)
Subject: certficate filtering
Message-ID: <20250402143310.480DF2C1E89@tiger.openqnx.com>


Hi team,

Is it possible to configure ocserv to filter the client certificate?
eg: only allow the connecting the CN of the client certificate ending with mytrusted.domain.com? matching certain regex filtering rules
Or running a script to further process the certificate based authentication, such as what openvpn has: https://github.com/OpenVPN/openvpn/blob/master/sample/sample-scripts/verify-cn

Thanks!
Frank



From kop at karlpinc.com  Wed Apr  2 09:50:52 2025
From: kop at karlpinc.com (Karl O. Pinc)
Date: Wed, 2 Apr 2025 11:50:52 -0500
Subject: certficate filtering
In-Reply-To: <20250402143310.480DF2C1E89@tiger.openqnx.com>
References: <20250402143310.480DF2C1E89@tiger.openqnx.com>
Message-ID: <20250402115052.113d3f9c@slate.karlpinc.com>

On Wed,  2 Apr 2025 07:33:10 -0700 (PDT)
Frank Liu <fliu at tiger.openqnx.com> wrote:

> Is it possible to configure ocserv to filter the client certificate?

I don't see that feature, although I'm a user and may not have the
latest version installed.

> eg: only allow the connecting the CN of the client certificate ending
> with mytrusted.domain.com? matching certain regex filtering rules Or
> running a script to further process the certificate based
> authentication, such as what openvpn has:
> https://github.com/OpenVPN/openvpn/blob/master/sample/sample-scripts/verify-cn

What is the use-case for this?  Why is specifying a certificate
authority cert to do the client cert validation not enough?
(Just curious.)

Regards,

Karl <kop at karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein


From fliu at tiger.openqnx.com  Wed Apr  2 11:26:15 2025
From: fliu at tiger.openqnx.com (Frank Liu)
Date: Wed,  2 Apr 2025 11:26:15 -0700 (PDT)
Subject: certficate filtering
In-Reply-To: <20250402115052.113d3f9c@slate.karlpinc.com>
Message-ID: <20250402182615.A5AED2C0F3E@tiger.openqnx.com>

We are trying not to manage the CA. In my use case, each satellite servers
already have the certificate issued by letsencrypt. The central server
could just trust the letsencrypt CA, plus checking the CN is from one
of our owned DNS domain.

Regards,
Frank