On 15/01/17 07:17, Pavel Raiskup wrote: > Adding a new --with-ca-bundle configure option. It's argument is > used as default CA file when no --ca option is specified at > runtime. > > This option is primarily designed for systems where users are > allowed to manage trusted authorities for whole system (in one > consolidated file; usually implemented in 'ca-certificates' > package). > > Signed-off-by: Pavel Raiskup <prais...@redhat.com> > --- > configure.ac | 5 +++++ > src/openvpn/options.c | 9 +++++++++ > 2 files changed, 14 insertions(+)
As this was mentioned on a Red Hat Bugzilla (bz #1413343 [1]) as well, I'm reiterating my argument here for closing that bugzilla as notabug. I completely agree with Steffan, this is a NAK. Such a feature would be a dreamscenario for The Great Firewall of China and similar national routing instances which implements complete network surveillance. It would make it extremely trivial for them to implement a MITM OpenVPN server which would affect users not being aware of this issue. This feature would elude users configuring OpenVPN it is no problem using certificates from public CA issuers. This is a VERY BAD idea! We should help users configure OpenVPN in a secure way by default. Not the opposite. [1] <https://bugzilla.redhat.com/show_bug.cgi?id=1413343> -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
