X509 checks which can be performed during TLS verification phase - TinCanTech/easy-tls GitHub Wiki

Easy-TLS can perform X509 certificate checks during the TLS verification phase by using one of these options:

• --v1|--via-crl - This performs openssl certificate validity checks using the openssl binary.
• --v2|--via-ca - This is disabled due to a bug in openssl
• --v3|--via-index - This does not use openssl to perform any checks. Instead it searches your current CRL for certificate status using grep (This is my preferred method)

Using "Cache ID"

• EasyTLS saves the Identity to a text file which easytls-cryptv2-verify.sh reads, instead of loading openssl to extract the CA fingerprint and sed to format it.

• Use: easytls save-id and easytls-cryptv2-verify.sh option --cache-id. See respective help for usage details.

  My test showed an almost 1 second improvement running the unit test a lot.

Using "Preload Cache ID"

• Load the Identity as a command line parameter when OpenVPN calls easytls-cryptv2-verify.sh. This eliminates the need to repeatedly cat the Identity file.

• Use: easytls-cryptv2-verify.sh option --preload-cache-id=<ID>. See help for usage details.

What is Identity ?

• Identity is the CA certificate fingerprint formatted to one contiguous string.

  EG:

  OpenSSL fingerprint output: SHA1 Fingerprint=95:DC:<..snipped..>:03:DA

  EasyTLS Identity format: 95DC<..snipped..>03DA