On 15/01/17 14:52, Pavel Raiskup wrote: > On Sunday, January 15, 2017 11:08:38 AM CET David Sommerseth wrote: >> On 15/01/17 07:17, Pavel Raiskup wrote: >>> Adding a new --with-ca-bundle configure option. It's argument is >>> used as default CA file when no --ca option is specified at >>> runtime. >>> >>> This option is primarily designed for systems where users are >>> allowed to manage trusted authorities for whole system (in one >>> consolidated file; usually implemented in 'ca-certificates' >>> package). >>> >>> Signed-off-by: Pavel Raiskup <prais...@redhat.com> >>> --- >>> configure.ac | 5 +++++ >>> src/openvpn/options.c | 9 +++++++++ >>> 2 files changed, 14 insertions(+) >> >> As this was mentioned on a Red Hat Bugzilla (bz #1413343 [1]) as well, >> I'm reiterating my argument here for closing that bugzilla as notabug. >> >> I completely agree with Steffan, this is a NAK. Such a feature would be >> a dreamscenario for The Great Firewall of China and similar national >> routing instances which implements complete network surveillance. It >> would make it extremely trivial for them to implement a MITM OpenVPN >> server which would affect users not being aware of this issue. >> >> This feature would elude users configuring OpenVPN it is no problem >> using certificates from public CA issuers. This is a VERY BAD idea! We >> should help users configure OpenVPN in a secure way by default. Not the >> opposite. > > Ack, I originally thought about this as tool to solve "packaging issue". > We have corporate-wide authority, and people usually have it stored in > bundle. But I got the point, and such a shame mistake -- there's too many > trusted CAs.
I would recommend seeing the CA file being part of the configuration instead of a packaging detail. And you can embedd the CA inside the configuration file ... just do this in the config: <ca> -----BEGIN CERTIFICATE----- .... .... .... -----END CERTIFICATE----- </ca> This replaces the 'ca /path/to/ca.pem' line in the configuration file. Otherwise, for enterprises doing their own packaging ... it is also possible to install the OpenVPN CA file in /etc/pki/.... which is easily done with RPM files which again can be pushed out through internal repositories or Satellite. The distributed configurations would then just need to use 'ca /etc/pki/tls/cert/openvpn-ca.pem'. It all depends on how often it is expected to distribute configuration files vs how often the CA certificate is renewed. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
