Re: [Openvpn-devel] [PATCH] options: allow setting default --ca argument value

Sun, 15 Jan 2017 00:55:15 -0800 

Hi,

On 15-01-17 07:17, Pavel Raiskup wrote:
> Adding a new --with-ca-bundle configure option.  It's argument is
> used as default CA file when no --ca option is specified at
> runtime.
> 
> This option is primarily designed for systems where users are
> allowed to manage trusted authorities for whole system (in one
> consolidated file; usually implemented in 'ca-certificates'
> package).
> 
> Signed-off-by: Pavel Raiskup <prais...@redhat.com>
> ---
>  configure.ac          | 5 +++++
>  src/openvpn/options.c | 9 +++++++++
>  2 files changed, 14 insertions(+)
> 
> diff --git a/configure.ac b/configure.ac
> index 43487b0..f5e1e63 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -308,6 +308,11 @@ AC_ARG_WITH(
>       [with_plugindir="\$(libdir)/openvpn/plugins"]
>  )
>  
> +AC_ARG_WITH(
> +     [ca-bundle],
> +     [AS_HELP_STRING([--with-ca-bundle], [use consolidated CA bundle])],
> +     [AC_DEFINE_UNQUOTED([DEFAULT_CA_FILE], ["$withval"], [Default --ca 
> argument])]
> +)
>  
>  AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our 
> host])
>  case "$host" in
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index d9c384e..92d81ae 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -3000,6 +3000,15 @@ options_postprocess_mutate(struct options *o)
>      }
>  #endif
>  
> +#ifdef DEFAULT_CA_FILE
> +    if (!o->ca_file && !platform_access(DEFAULT_CA_FILE, R_OK))
> +    {
> +        msg(M_WARN, "option '--ca' unspecified; using system bundle '%s'",
> +            DEFAULT_CA_FILE);
> +        o->ca_file = DEFAULT_CA_FILE;
> +    }
> +#endif
> +
>  #if ENABLE_MANAGEMENT
>      if (o->http_proxy_override)
>      {
> 

Feature-NAK.  OpenVPN should use it's own CA, not the system CA list.

There is no reason to allow hundreds of parties in the world to
man-in-the-middle your OpenVPN connections.  Please please please do not
use your system CA list for OpenVPN, just specify the CA you do want to
trust.

(OpenVPN is /not/ WWW, don't think about OpenVPN's usage of CAs as if it
were the WWW.)

-Steffan

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to