A User's Perspective: We've been doing just this since ovpn began allowing inline certs. Works great! Recommend.
Marvin Sent from my iPhone > On Jan 15, 2017, at 9:53 AM, David Sommerseth > <open...@sf.lists.topphemmelig.net> wrote: > >> On 15/01/17 14:52, Pavel Raiskup wrote: >>> On Sunday, January 15, 2017 11:08:38 AM CET David Sommerseth wrote: >>>> On 15/01/17 07:17, Pavel Raiskup wrote: >>>> Adding a new --with-ca-bundle configure option. It's argument is >>>> used as default CA file when no --ca option is specified at >>>> runtime. >>>> >>>> This option is primarily designed for systems where users are >>>> allowed to manage trusted authorities for whole system (in one >>>> consolidated file; usually implemented in 'ca-certificates' >>>> package). >>>> >>>> Signed-off-by: Pavel Raiskup <prais...@redhat.com> >>>> --- >>>> configure.ac | 5 +++++ >>>> src/openvpn/options.c | 9 +++++++++ >>>> 2 files changed, 14 insertions(+) >>> >>> As this was mentioned on a Red Hat Bugzilla (bz #1413343 [1]) as well, >>> I'm reiterating my argument here for closing that bugzilla as notabug. >>> >>> I completely agree with Steffan, this is a NAK. Such a feature would be >>> a dreamscenario for The Great Firewall of China and similar national >>> routing instances which implements complete network surveillance. It >>> would make it extremely trivial for them to implement a MITM OpenVPN >>> server which would affect users not being aware of this issue. >>> >>> This feature would elude users configuring OpenVPN it is no problem >>> using certificates from public CA issuers. This is a VERY BAD idea! We >>> should help users configure OpenVPN in a secure way by default. Not the >>> opposite. >> >> Ack, I originally thought about this as tool to solve "packaging issue". >> We have corporate-wide authority, and people usually have it stored in >> bundle. But I got the point, and such a shame mistake -- there's too many >> trusted CAs. > > I would recommend seeing the CA file being part of the configuration > instead of a packaging detail. And you can embedd the CA inside the > configuration file ... just do this in the config: > > <ca> > -----BEGIN CERTIFICATE----- > .... > .... > .... > -----END CERTIFICATE----- > </ca> > > This replaces the 'ca /path/to/ca.pem' line in the configuration file. > > Otherwise, for enterprises doing their own packaging ... it is also > possible to install the OpenVPN CA file in /etc/pki/.... which is easily > done with RPM files which again can be pushed out through internal > repositories or Satellite. The distributed configurations would then > just need to use 'ca /etc/pki/tls/cert/openvpn-ca.pem'. > > It all depends on how often it is expected to distribute configuration > files vs how often the CA certificate is renewed. > > > -- > kind regards, > > David Sommerseth > OpenVPN Technologies, Inc > > > ------------------------------------------------------------------------------ > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today. http://sdm.link/xeonphi > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
