X509 checks which can be performed during TLS verification phase

Jump to bottom Edit New page

TinCanTech edited this page Dec 13, 2021 · 1 revision

Easy-TLS can perform X509 certificate checks during the TLS verification phase by using one of these options:

--v1|--via-crl - This performs openssl certificate validity checks using the openssl binary.
--v2|--via-ca - This is disabled due to a bug in openssl
--v3|--via-index - This does not use openssl to perform any checks. Instead it searches your current CRL for certificate status using grep (This is my preferred method)

Using "Cache ID"

EasyTLS saves the Identity to a text file which easytls-cryptv2-verify.sh reads, instead of loading openssl to extract the CA fingerprint and sed to format it.
Use: easytls save-id and easytls-cryptv2-verify.sh option --cache-id. See respective help for usage details.

My test showed an almost 1 second improvement running the unit test a lot.

Using "Preload Cache ID"

Load the Identity as a command line parameter when OpenVPN calls easytls-cryptv2-verify.sh. This eliminates the need to repeatedly cat the Identity file.
Use: easytls-cryptv2-verify.sh option --preload-cache-id=<ID>. See help for usage details.

What is Identity ?

Identity is the CA certificate fingerprint formatted to one contiguous string.

EG:

OpenSSL fingerprint output: SHA1 Fingerprint=95:DC:<..snipped..>:03:DA

EasyTLS Identity format: 95DC<..snipped..>03DA

Needs updating