On 04/02/13 08:43, Adriaan de Jong wrote: >> -----Original Message----- >> From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] >> Sent: zondag 3 februari 2013 15:52 >> To: Jan Just Keijser >> Cc: openvpn-devel@lists.sourceforge.net >> Subject: Re: [Openvpn-devel] option --crl-verify PATH dir >> >> On 03/02/13 12:02, Jan Just Keijser wrote: >>> hi, >>> >>> what is the second option to '--crl-verify' supposed to do? in >>> options.c it sets a flag SSLF_CRL_VERIFY_DIR which then triggers the >>> function 'verify_check_crl_dir'. However, this function does not seem >>> to do anything.... >> >> Quickly looked at the code ... with the 'dir' flag (which sets >> SSLF_CRL_VERIFY_DIR), it's no longer a typical CRL file validation. If >> you create (touch) a file in the defined directory with the file name >> matching a particular client's serial number; the connection will be >> denied. >> > > Confirmed, with the footnote that this is a weird way of going about things. > > I would like to suggest deprecating this option from 2.4 (or 2.3.1?) onwards, > and forcing people to either: > > - Create an actual CRL file. This is not difficult. In general, people using > OpenVPN should be managing their own CA in the OpenVPN world. > - Failing that, create a custom script to do this. > > I'm always open for discussion, but imho this should not be core > functionality in OpenVPN.
I agree that this directory based "CRL" with empty files shouldn't be a core part of OpenVPN. This is in my eyes what --tls-verify scripts is supposed to solve. I also agree with JJK, that implementing proper CA path support makes a lot of sense. Even though PolarSSL lacks this support now, I believe Paul wouldn't instantly object a patch implementing a CA path support. However, I'm not sure it's a good idea to remove this feature in 2.4 or earlier. There are people depending on this feature. And it touches the same discussion topic we had at FOSDEM regarding --compat-names and --no-name-remapping. If removed, I would say it should be removed in OpenVPN 3. We can start warning about it in 2.4. However, I'd really like to have James feedback on this as well before we just decide to kill it off at a later release. Just because I want to avoid the same situation/discussion as we had at FOSDEM. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
