中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeNetworking TechnologiesNetworking TCP/IPAn IPv6 Deployment Guide Chapter 5: Integration and Transition

5.2.8.3 OpenSSL CA

For many tunnel brokers, having some form of access control and authorisation is mandatory. OpenVPN offers a very flexible and secure way of authorising access using X.509 certificates and keys. OpenVPN uses functionality provided by the OpenSSL library (e.g. TLS key exchange). The OpenSSL CA is needed to sign certificates for clients that would like to connect to the tunnel broker.

When a new client subscribes to the tunnel broker service, the following things have to be done:

1. Create an X.509 key and certificate for the client.
2. CA verifies the identity and authorisation of the client to actually use the tunnel broker and then signs the certificate of the client.
3. The CA’s certificate is given to both the client and the server. It is used to verify the signature of the X.509 certificates of both client and server when they execute a TLS key exchange.

The CA is the trusted intermediary instance that both the server and the client trust.

When a client starts an OpenVPN-connection to the server, the following steps are exercised by client and server:

1. TLS handshake and key exchange is started.
2. Both server and client verify the Common Names of each other’s public certificates. Only on a positive verification of the Common Names do the server or client continue the negotiations. (The Common Names verification can be seen as an initial sanity check.)
3. After the Common Names verification, the key exchange is started. Server and client verify each other’s keys using the CA’s certificate to find out if the signatures of the certificates are valid. If yes, both client and server proceed.
4. The server uses the client’s certificate to cipher the stream that is sent to the client and it uses OpenSSL functionality to multiplex the tunnel into a UDP/IPv4 stream. The client uses his private key to decrypt the ciphered stream after demultiplexing it. The client’s use of the server’s certificate is analogue.

This summarises where the OpenSSL CA and the X.509 certificates and keys created by the CA play a key role.

Note: Usually the basic configuration of an OpenVPN based tunnel broker uses encrypted tunnel streams. However, it is possible to use the null cipher instead of the blowfish block stream cipher. This solves some performance and overhead issues.
‹ 5.2.8.2 Tunnel Broker Clientsup5.3 Translation Methods ›