On 9/8/20 5:41 PM, Arne Schwabe wrote:
The main difference of this patch set to Jason's V1 version is that it does not rely on an external script on the server side and instead relys on an a inlined <peer-fingerprint> section. The downside is that this requires a server restart on adding a client but the upside is that no script-security or external scripts are necessary and server/client setup become symmetric.
One of the nice features of Jason's patch was that also for big(ger) deployments you could get rid of the CA if you have another channel to establish trust between client and server.
I guess it won't be possible to use --tls-verify (on the server) with your patch and verify the fingerprint(s) there? For the client it is enough to have a (fixed) list of trusted fingerprints. Would it be possible to add this (again)?
Regards, François _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
