On 15-01-17 10:12, Gert Doering wrote: > On Sun, Jan 15, 2017 at 09:52:46AM +0100, Steffan Karger wrote: >> On 15-01-17 07:17, Pavel Raiskup wrote: > [..] >>> This option is primarily designed for systems where users are >>> allowed to manage trusted authorities for whole system (in one >>> consolidated file; usually implemented in 'ca-certificates' >>> package). > [..] >> >> Feature-NAK. OpenVPN should use it's own CA, not the system CA list. > > I could see the use-case (enterprise wide list of trusted CAs, and > use of it compiled into an enterprise-distribute openvpn bundle), > but I agree with Steffan that it's not something we need to have in > OpenVPN - "--ca" can reference to a CA bundle today, and enterprise- > distributed config files reference the enterprise-maintained CA bundle, > it will just work without code changes.
Yes, I got that. I'll be a bit more verbose: the use case is sufficiently covered by --ca (as Gert says), and this option is *way* too likely to be misinterpreted to 'point to /etc/ssl/certs/ca-certificates.crt', which will in almost all setups significantly reduces security. We have plenty of confusing options, we really don't need another one :) -Steffan
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
