-
-
Notifications
You must be signed in to change notification settings - Fork 19
Metadata Access Policy
This page is out of date.
EasyTLS TLS-Crypt-V2 metadata honours the intent as detailed here, by syzzer.
EasyTLS creates the following client metadata single-word fields:
-
easytls
Automatically created
$EASYTLS_VERSIONis completely ignored except for the encryption of the key ..
This field is mandatory. -
CA-Identity
Automatically created
This is the CA-certificate-fingerprint hexadecimal value only.
This field is automatically checked.
Useeasytls-cryptv2-verify.sh -c|--ca=<Path-to-CA>to specify the correct CA.There are three ways which
easytls-cryptv2-verify.shcan verify the CA-Identity:- The default method is to use
opensslto generate the CA fingerprint each time.
- The second method is to read the CA-Identity file. (Faster)
Example:easytls-cryptv2-verify.sh --cache-id
Create The CA-Identity file using./easytls save-id.
- The third method is to preload the CA-Identity as a parameter to calling the script. (Fastest)
Example:easytls-cryptv2-verify.sh --preload-cache-id=<CA-IDENTITY>
CA-IDENTITY can be copied from the CA-Identity file.
- The default method is to use
-
Client-certificate-serial-number
Automatically created
This field is automatically checked.There are three ways which
easytls-cryptv2-verify.shcan verify the Client-certificate-serial-number:- The default method is to search the Certificate revocation list for the client serial number.
opensslis used to verify both the CA and CRL prior to checking the client serial number.
- The second method is to use
openssl cato check the certificate status.
This is not recommended by OpenSSL, which always returns an error even when it succeeds.
This method is disabled by default.
- The third method is search the CA
index.txtfile. (Preferred/Fastest)
This method does not need to loadopensslto verify any files.
- The default method is to search the Certificate revocation list for the client serial number.
-
Client-certificate-CommonName
Automatically created
This field is automatically checked. -
Creation-Date
Automatically created
%s seconds since 1970-01-01 00:00:00 UTC
This field is automatically checked.
Useeasytls-cryptv2-verify.sh -x|--max-tls-age=<Days>to specify your desired expiration date.
Disable this check by usingeasytls-cryptv2-verify.sh -x|--max-tls-age=0
Default age is 1825 days (5 years) -
Custom-Group
User defined by option-c|custom-group
This field is automatically checked.
Useeasytls-cryptv2-verify.sh -g|--custom-group=<CUSTOM-GROUP>to specify your Custom-Group.
Default Custom-Group isEASYTLS(Ignored, unless specified) -
Hardware-Address-Hardware-Address ..
User defined by option--hw-addr
Default:000000000000(Ignored)
Hardware-Addresscan be specified multiple times. (eg. Client Ethernet & Wifi)
See: https://github.com/TinCanTech/easy-tls/wiki/EasyTLS-Help-Hardware-Address-Access-Policy
Successful connection log:
2020-10-03 14:02:36 us=277021 127.0.0.1:12709 TLS: Initial packet from [AF_INET]127.0.0.1:12709, sid=56c3f9f6 306456f8
2020-10-03 14:02:36 us=277030 127.0.0.1:12709 Control Channel: using tls-crypt-v2 key
2020-10-03 14:02:36 us=277046 127.0.0.1:12709 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-03 14:02:36 us=277060 127.0.0.1:12709 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-10-03 14:02:36 us=277070 127.0.0.1:12709 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-03 14:02:36 us=277081 127.0.0.1:12709 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
<EXOK> * TLS-crypt-v2-verify (index) ==> easytls OK ==> custom_group tincantech OK ==> Key age 0 days OK ==> identity OK ==> Enabled OK ==> Client certificate is recognised and Valid: A5B17EA293E5560242CEDBDAF19E98DE c09
2020-10-03 14:02:36 us=291074 127.0.0.1:12709 TLS CRYPT V2 VERIFY SCRIPT OK
Example OpenVPN configuration file directive:
tls-crypt-v2-verify '/home/tct/easy-rsa/easyrsa3/easytls-cryptv2-verify.sh -v -c=/home/tct/easy-rsa/easyrsa3/pki -g=MY_CUSTOM_GROUP --via-index --pid-file=/etc/openvpn/server.pid --preload-id=HEX...'