summaryrefslogtreecommitdiff
path: root/app/openvpn/sample/sample-scripts/verify-cn
diff options
context:
space:
mode:
authorParménides GV <parmegv@sdf.org>2015-06-16 11:28:05 +0200
committerParménides GV <parmegv@sdf.org>2015-06-16 11:28:05 +0200
commit66c79953db6876ec17a7ebf50dc4fd07d24fae37 (patch)
tree67075abe6ea28f7fc7213f654b86464b13507058 /app/openvpn/sample/sample-scripts/verify-cn
parent1f41fec6765e49838141ad29151713c7ac3dd17c (diff)
parente533cf6939e3ea4233aa8a82812f8ce5fcb565ca (diff)
Merge branch 'develop'0.9.4
Diffstat (limited to 'app/openvpn/sample/sample-scripts/verify-cn')
-rwxr-xr-xapp/openvpn/sample/sample-scripts/verify-cn64
1 files changed, 0 insertions, 64 deletions
diff --git a/app/openvpn/sample/sample-scripts/verify-cn b/app/openvpn/sample/sample-scripts/verify-cn
deleted file mode 100755
index 6e747ef1..00000000
--- a/app/openvpn/sample/sample-scripts/verify-cn
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/bin/perl
-
-# verify-cn -- a sample OpenVPN tls-verify script
-#
-# Return 0 if cn matches the common name component of
-# subject, 1 otherwise.
-#
-# For example in OpenVPN, you could use the directive:
-#
-# tls-verify "./verify-cn /etc/openvpn/allowed_clients"
-#
-# This would cause the connection to be dropped unless
-# the client common name is listed on a line in the
-# allowed_clients file.
-
-die "usage: verify-cn cnfile certificate_depth subject" if (@ARGV != 3);
-
-# Parse out arguments:
-# cnfile -- The file containing the list of common names, one per
-# line, which the client is required to have,
-# taken from the argument to the tls-verify directive
-# in the OpenVPN config file.
-# The file can have blank lines and comment lines that begin
-# with the # character.
-# depth -- The current certificate chain depth. In a typical
-# bi-level chain, the root certificate will be at level
-# 1 and the client certificate will be at level 0.
-# This script will be called separately for each level.
-# x509 -- the X509 subject string as extracted by OpenVPN from
-# the client's provided certificate.
-($cnfile, $depth, $x509) = @ARGV;
-
-if ($depth == 0) {
- # If depth is zero, we know that this is the final
- # certificate in the chain (i.e. the client certificate),
- # and the one we are interested in examining.
- # If so, parse out the common name substring in
- # the X509 subject string.
-
- if ($x509 =~ / CN=([^,]+)/) {
- $cn = $1;
- # Accept the connection if the X509 common name
- # string matches the passed cn argument.
- open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
- while (defined($line = <FH>)) {
- if ($line !~ /^[[:space:]]*(#|$)/o) {
- chop($line);
- if ($line eq $cn) {
- exit 0;
- }
- }
- }
- close(FH);
- }
-
- # Authentication failed -- Either we could not parse
- # the X509 subject string, or the common name in the
- # subject string didn't match the passed cn argument.
- exit 1;
-}
-
-# If depth is nonzero, tell OpenVPN to continue processing
-# the certificate chain.
-exit 0;