Use certificates from Keychain

[Max®]

Hi,

I need to create a solution where Tunnelblick use certificates stores in the Keychain (are provided by a Windows CA and distributed with Casper).

In the past few hours I've read a little bit of information, but I could not tell if the various patches and proposed changes were then integrated and how they work.

(ad ex:

https://community.openvpn.net/openvpn/ticket/8

https://community.openvpn.net/openvpn/changeset/39e3d336d4eeab847a3395ddeb430e0a9ca387b9

but also

https://groups.google.com/forum/#!searchin/tunnelblick-discuss/keychain|sort:relevance/tunnelblick-discuss/fROagm19j0Q/yUtHvURx0JsJ)

There's anyone here who uses a similar scenario? it's possible to do it?

Thanks to anyone who can help me!

Test make with:

OS X 10.11.6

Tunnelblick 3.6.7c (b4606) (inside OpenVPN 2.3.12)

[Tunnelblick developer]

According to your first link, support for use of the Keychain was added to the master branch of OpenVPN in changeset 39e3d33 on 2015-04-13. It would thus be included in all recent Tunnelblick beta versions, which include a version of OpenVPN from the master branch (named "OpenVPN 2.3 git x", where "x" is the hash of the latest commit in the master branch at the time the source code was copied).

However, Tunnelblick's support for OpenVPN's management interface does not include support for the "NEED-CERTIFICATE" or "RSA-SIGN" commands, so I do not think this feature would work when using Tunnelblick.

There seems to be little demand for adding this to Tunnelblick, so I am not inclined to work on it myself. But I would welcome pull requests that implement "NEED-CERTIFICATE" and "RSA-SIGN" handling to make this work in Tunnelblick.

[morla...@manord.com]

Hi,

thank you for your kind and quick response.

It was what I thought too ... but I can't run the command '--management-external-cert' (quoted in the second link) even with openvpn 2.3_git_38f98fd contained in the latest beta version of Tunnelblick.

In any case until tunnelblick it will not support it seems to me unnecessary to investigate further.

I hope that this opportunity will soon be taken into account. I believe that when the feature should be available my boss would also disponbile to a (small) donation;-)

Eventually talk about it in pm

Thanks!

Max

[Tunnelblick developer]

Hmmm. Looking at the OpenVPN code, OpenVPN must be built with a switch that sets up "MANAGMENT_EXTERNAL_KEY" or it won't include the Keychain support.

Tunnelblick doesn't build OpenVPN with that switch set, so the OpenVPN versions built into Tunnelblick do not include code to handle the --management-external-cert option.

[morla...@manord.com]

Therefore, no hope now?

Not good...

Thanks anyway for your help.

[Tunnelblick developer]

I mis-wrote:

Hmmm. Looking at the OpenVPN code, OpenVPN must be built with a switch that sets up "MANAGMENT_EXTERNAL_KEY" or it won't include the Keychain support.

That should have been:

Hmmm. Looking at the OpenVPN code, OpenVPN must be built with a switch that sets up "MANAGMENT_EXTERNAL_KEY" or it won't include the the --mangement-external-key or --managment-external-cert options.

OpenVPN itself doesn't include the Keychain support. That must be included in a separate program that includes management interface code. OpenVPN includes an example of such a program in the contrib/keychain-mcd folder. Tunnelblick has its own code that interfaces with the management interface; it is that code that would need to implement "NEED-CERTIFICATE" and "RSA-SIGN" . 

[Tunnelblick developer]

No hope for it to be built into Tunnelblick soon, anyway. Sorry.

[geoffrey...@onfido.com]

Any one could tell me if this changed and now tunnelblick implement it ?

Thanks a lot

[Tunnelblick developer]

No, sorry.

This feature was removed from OpenVPN because of concerns about potential bugs.

[adesc...@kronostechnologies.com]

Feature flag was simply renamed ENABLE_MANAGEMENT, but it's still in the codebase.

Le présent message, ainsi que tout fichier qui y est joint, est envoyé à l’intention exclusive de son destinataire ou du mandataire chargé de le lui transmettre. Il peut contenir de l’information privilégiée ou confidentielle. Si ce courriel vous a été adressé par erreur, veuillez le supprimer de même que toute copie et tout fichier attaché et nous en aviser immédiatement. Vous ne pouvez en aucun cas divulguer, distribuer ou copier ce message et tout fichier qui y est joint. Merci. This message and any attachments are intended solely for the specified recipient or the representative charged with forwarding it to the named recipient. It may contain privileged or confidential information. If you are not the intended recipient of this email, please delete it, as well as any copies or attachments, and notify us immediately. You may not under any circumstances disclose, distribute or copy this message or any attachments. Thank you.

[Tunnelblick developer]

On Tuesday, March 5, 2019 at 4:09:06 PM UTC-5, <> wrote:

Feature flag was simply renamed ENABLE_MANAGEMENT, but it's still in the codebase.

That's not correct.

(A) ENABLE_MANAGEMENT does something different: it enables code for the management interface.

(B) The code for using certificates from the macOS Keychain was removed in:

commit 59e7e9fce8de6ea90d13baeaede83adc0b594e22  (master)

commit b597ded895e372831bb19538e5591d5c52270a44  (release/2.4)

(C) Although Tunnelblick developers committed to "taking over" the codebase, it was deemed to be too flawed to be included in Tunnelblick without major work, work which nobody has done.