components/onc/docs/onc_spec.html - Issue 61903002: ChromeOS: Add more host verification options for OpenVpn.

Side by Side Diff: components/onc/docs/onc_spec.html

Issue 61903002: ChromeOS: Add more host verification options for OpenVpn. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« chromeos/test/data/network/valid_openvpn_with_cert_pems.onc ('K') | « chromeos/test/data/network/valid_openvpn_with_cert_pems.onc ('k') | components/onc/onc_constants.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 <!DOCTYPE html>	1 <!DOCTYPE html>

2 <html>	2 <html>

3 <head>	3 <head>

4 <meta charset="utf-8">	4 <meta charset="utf-8">

5 <link rel="stylesheet" href="onc_spec.css" >	5 <link rel="stylesheet" href="onc_spec.css" >

6 <script src="onc_spec.js"></script>	6 <script src="onc_spec.js"></script>

7 <title>Open Network Configuration Format</title>	7 <title>Open Network Configuration Format</title>

8 </head>	8 </head>

9 <body>	9 <body>

10	10

(...skipping 1176 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1187 </dd>	1187 </dd>

1188	1188

1189 <dt class="field">Verb</dt>	1189 <dt class="field">Verb</dt>

1190 <dd>	1190 <dd>

1191 <span class="field_meta">	1191 <span class="field_meta">

1192 (optional)	1192 (optional)

1193 <span class="type">string</span>	1193 <span class="type">string</span>

1194 </span>	1194 </span>

1195 Verbosity level, defaults to openvpn default if not specified.	1195 Verbosity level, defaults to openvpn default if not specified.

1196 </dd>	1196 </dd>

	1197

	1198 <dt class="field">VerifyHash</dt>

	1199 <dd>

	1200 <span class="field_meta">

	1201 (optional)

	1202 <span class="type">string</span>

	1203 </span>

	1204 If set, this value is passed as the "--verify-hash" argument to OpenVPN,

	1205 which specifies the SHA1 fingerprint for level-1 certificate.
	bartfab (slow) 2013/11/07 10:48:56 Nit: s/for/for the/ Nit: s/for/for the/ pneubeck (no reviews) 2013/11/11 11:53:43 Done. Show quoted text On 2013/11/07 10:48:56, bartfab wrote: > Nit: s/for/for the/ Done.
	1206 </dd>

	1207

	1208 <dt class="field">VerifyX509</dt>

	1209 <dd>

	1210 <span class="field_meta">

	1211 (optional)

	1212 <span class="type">VerifyX509</span>

	1213 </span>

	1214 If set, the "--verify-x509-name" argument is passed to OpenVPN with the v alues of this object and only connections will be accepted if a host's X.509 nam e is equal to the given name.

	1215 </dd>

1197 </dl>	1216 </dl>

	1217

	1218 <p>

	1219 <span class="type">VerifyX509</span> type contains the following:

	1220 </p>

	1221 <dl class="field_list">

	1222 <dt class="field">Name</dt>

	1223 <dd>

	1224 <span class="field_meta">

	1225 (required)

	1226 <span class="type">string</span>

	1227 </span>

	1228 The name that the host's X.509 name is compared to. Which host name is com pared depends on the value of <span class="field">Type</span>.

	1229 </dd>

	1230

	1231 <dt class="field">Type</dt>

	1232 <dd>

	1233 <span class="field_meta">

	1234 (required)
	Paul Stewart 2013/11/06 14:22:20 The type value is not required in either shill or The type value is not required in either shill or OpenVPN. It's up to you whether you wish to impose a requirement here. I don't know what this means for the behavior of potential ".ovpn" to ONC translators. pneubeck (no reviews) 2013/11/06 14:50:42 Ah. I see. I initially thought it unusual if there Show quoted text On 2013/11/06 14:22:20, Paul Stewart wrote: > The type value is not required in either shill or OpenVPN. It's up to you > whether you wish to impose a requirement here. I don't know what this means for > the behavior of potential ".ovpn" to ONC translators. Ah. I see. I initially thought it unusual if there would be a command line argument with a variable number of parameters. But you seem to be right. I think, I'll change the requirement to "optional" and default to 'subject' as currently described in the OpenVPN manpage. Did you read the section "Which RDN is verified as name, depends on the --x509-username-field option." Does it even make sense to allow the selection of type=name or type=name-prefix if "--x509-username-field" cannot be set? (the default is matching CN) Paul Stewart 2013/11/06 15:55:38 I've read that section. The CN is the most reason Show quoted text On 2013/11/06 14:50:42, pneubeck wrote: > On 2013/11/06 14:22:20, Paul Stewart wrote: > > The type value is not required in either shill or OpenVPN. It's up to you > > whether you wish to impose a requirement here. I don't know what this means > for > > the behavior of potential ".ovpn" to ONC translators. > > Ah. I see. I initially thought it unusual if there would be a command line > argument with a variable number of parameters. But you seem to be right. > > I think, I'll change the requirement to "optional" and default to 'subject' as > currently described in the OpenVPN manpage. > > Did you read the section "Which RDN is verified as name, depends on the > --x509-username-field option." > Does it even make sense to allow the selection of type=name or type=name-prefix > if "--x509-username-field" cannot be set? (the default is matching CN) I've read that section. The CN is the most reasonable RDN to match against. "type=name" and "type=name-prefix" have a completely different behavior than "subject", so I think all three options are expressive. I'm agnostic to whether you supply the "subject" value for the name option or leave it to OpenVPN to perform its default behavior.
	1235 <span class="type">string</span>

	1236 </span>

	1237 Determines which of the host's X.509 names will be verified. Allowed value s are <span class="value">name</span>, <span class="value">name-prefix</span> an d <span class="value">subject</span>. See OpenVPN's documentation for "--verify- x509-name" for the meaning of each value.

	1238 </dd>

	1239 </dl>

	1240

1198 </section>	1241 </section>

1199	1242

1200 </section>	1243 </section>

1201	1244

1202 <section>	1245 <section>

1203 <h1>Client certificate patterns</h1>	1246 <h1>Client certificate patterns</h1>

1204 <p>	1247 <p>

1205 In order to allow clients to securely key their private keys and request	1248 In order to allow clients to securely key their private keys and request

1206 certificates through PKCS#10 format or through a web flow, we provide	1249 certificates through PKCS#10 format or through a web flow, we provide

1207 alternative CertificatePattern types. The	1250 alternative CertificatePattern types. The

(...skipping 938 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2146 is transmitted or saved to disk should be secure. On client device, when	2189 is transmitted or saved to disk should be secure. On client device, when

2147 user names for connections that are user-specific are persisted to disk,	2190 user names for connections that are user-specific are persisted to disk,

2148 they should be stored in a location that is encrypted. Users can also opt in	2191 they should be stored in a location that is encrypted. Users can also opt in

2149 these cases to not save their user credentials in the config file and will	2192 these cases to not save their user credentials in the config file and will

2150 instead be prompted when they are needed.	2193 instead be prompted when they are needed.

2151 </p>	2194 </p>

2152 </section>	2195 </section>

2153 </section>	2196 </section>

2154 </body>	2197 </body>

2155 </html>	2198 </html>

OLD	NEW