On Sunday, January 15, 2017 11:08:38 AM CET David Sommerseth wrote: > On 15/01/17 07:17, Pavel Raiskup wrote: > > Adding a new --with-ca-bundle configure option. It's argument is > > used as default CA file when no --ca option is specified at > > runtime. > > > > This option is primarily designed for systems where users are > > allowed to manage trusted authorities for whole system (in one > > consolidated file; usually implemented in 'ca-certificates' > > package). > > > > Signed-off-by: Pavel Raiskup <prais...@redhat.com> > > --- > > configure.ac | 5 +++++ > > src/openvpn/options.c | 9 +++++++++ > > 2 files changed, 14 insertions(+) > > As this was mentioned on a Red Hat Bugzilla (bz #1413343 [1]) as well, > I'm reiterating my argument here for closing that bugzilla as notabug. > > I completely agree with Steffan, this is a NAK. Such a feature would be > a dreamscenario for The Great Firewall of China and similar national > routing instances which implements complete network surveillance. It > would make it extremely trivial for them to implement a MITM OpenVPN > server which would affect users not being aware of this issue. > > This feature would elude users configuring OpenVPN it is no problem > using certificates from public CA issuers. This is a VERY BAD idea! We > should help users configure OpenVPN in a secure way by default. Not the > opposite.
Ack, I originally thought about this as tool to solve "packaging issue". We have corporate-wide authority, and people usually have it stored in bundle. But I got the point, and such a shame mistake -- there's too many trusted CAs. Thanks for having a look! Pavel > > > [1] <https://bugzilla.redhat.com/show_bug.cgi?id=1413343> > > ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
