-
-
Notifications
You must be signed in to change notification settings - Fork 21
access levels
This page describes Easy-TLS Access levels
The simplest level of access policy is the Easy-TLS disabled-list. Any TLS-Crypt-V2 key can be disabled/enabled immediately via this list.
Also, each key is created with a record of its creation date, so that keys can have an arbitrary life-time, defined my TLSKEY_MAX_AGE.
Now, there are seven levels of defence which the Server can be set to:
Note: Levels [0] - [3] allow all type of TLS key to connect.
-
[0] Lowest- Allow all valid TLS-AUTH/Crypt/V2 keys to connect.
Basic TLS-Crypt-V2 key tests are NOT performed. eg.disabled-listandTLSKEY_MAX_AGE
Extended TLS-Crypt-V2 key tests are NOT performed. -
[1] Low- Functionally equivalent to[0] Lowest- Allow all..
Except, ALL TLS-Crypt-V2 key extended tests are performed.
Same as[2] Default, exceptfilter-addressmismatches are IGNORED. -
[2] Default- Do not require clients to push a HWADDR.
TLS-Crypt-V2 keys with a HWADDR mismatch will be disconnected.
TLS-Crypt-V2 keys without a HWADDR can connect.
TLS Auth and Crypt-v1 keys can connect. -
[3] Medium- Require all clients to push a HWADDR.
TLS-Crypt-V2 keys with a HWADDR mismatch will be disconnected.
TLS-Crypt-V2 keys without a HWADDR can connect but must push a HWADDR.
TLS Auth and Crypt-v1 keys can connect but must push a HWADDR.
Note: Levels [4] - [6] allow only TLS-Crypt-V2 keys to connect.
-
[4] Medium-High- Do not require clients to push a HWADDR.
TLS-Crypt-V2 keys without a Hardware-address can connect. -
[5] High- Require all clients to push a HWADDR.
TLS-Crypt-v2 keys without a HWADDR can connect but must push a HWADDR. -
[6] Highest- HWADDR verification is enforced on all clients.
TLS-Crypt-V2 key must have a HWADDR and client must push a HWADDR.
Note:
- Currently, IP
filter-addressesare automatically integrated.
If a key contains IPfilter-addressesthen these are matched automatically,
if optionPEER_IP_MATCHis set. Otherwise, mismatches are ignored.