Support key pinning

Question

Support key pinning

cfcs opened this issue 5 years ago · 4 comments

       --verify-hash hash [algo]
              Specify SHA1  or  SHA256  fingerprint  for  level-1  cert.   The
              level-1  cert  is  the  CA (or intermediate cert) that signs the
              leaf certificate, and is one removed from the  leaf  certificate
              in  the direction of the root.  When accepting a connection from
              a peer, the level-1 cert fingerprint must match hash or certifi‐
              cate verification will fail.  Hash is specified as XX:XX:... For
              example:

                  AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16

              The algo flag can be either SHA1 or SHA256.  If not provided, it
              defaults to SHA1.

See also: OpenVPN/openvpn#105

Answer 1 · 2023-10-05T10:30:00.000Z

I stepped into this issue, but unfortunately our X.509 API is slightly different -- where our fingerprint authenticators want to verify the hash of the leaf certificate, here in OpenVPN the specification is the fingerprint of the level-1 certificate (i.e. the certificate signing the leaf).

Answer 2 · 2023-10-05T10:59:11.000Z

--verify-hash is deprecated since at least 2.6, and 2.6 has --peer-fingerprint:

 --peer-fingerprint args
           Specify a SHA256 fingerprint or list of  SHA256  fingerprints
           to  verify the peer certificate against. The peer certificate
           must match one of the fingerprint or certificate verification
           will fail. The option can also be inlined

        Valid syntax:

           peer-fingerprint AD:B0:95:D8:09:...

        or inline:

           <peer-fingerprint>
           00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
           11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00
           </peer-fingerprint>

        When the --peer-fingerprint option is used, specifying a CA with
        --ca or --capath is optional. This allows the he  --peer-finger‐
        print  to  be used as alternative to a PKI with self-signed cer‐
        tificates for small setups. See the examples section for such  a
        setup.

Answer 3 · 2023-11-01T13:37:12.000Z

I can't quite figure out how --peer-fingerprint and --ca interact. Neither from the man page nor the code.

Answer 4 · 2024-05-14T15:45:25.000Z

We support peer-fingerprint since end of November 2023, let's close this issue.