Attention is currently required from: flichtenheld, plaisthos, ssbssa. selvanair has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/621?usp=email )
Change subject: Implement Windows CA template match for Crypto-API selector ...................................................................... Patch Set 1: (6 comments) Patchset: PS1: I can't comment on the usefulness of this, but the changes look easy to maintain and clean, so a conditional feature-ACK from me. At least one function call involves network search in the AD, a test report of what happens when no DC's are reachable would help. If that could cause a slow timeout, or error, we should document it. In typical setups DCs are often unreachable before the tunnel is up. File doc/man-sections/windows-options.rst: http://gerrit.openvpn.net/c/openvpn/+/621/comment/98846a64_c997a4b3 : PS1, Line 62: cryptoapicert "TMPL:1.3.6.1.4..." Add an example where the template name is used instead of OID? File src/openvpn/cryptoapi.c: http://gerrit.openvpn.net/c/openvpn/+/621/comment/41d62b25_9fc645be : PS1, Line 217: } I think I said this in response to the original in 2021 as well: why separate into two calls like this? The use of the flag is to avoid network calls, but if we are anyway going to allow network access, its more efficient to allow it in the first place. I'm assuming the call will return quickly if a local search succeeds even if the flag is not there. http://gerrit.openvpn.net/c/openvpn/+/621/comment/aa376a5e_4ae3dc25 : PS1, Line 220: if (!info && fallback && groupid) I see the only place this is called is with fallback=true, so we do not need that argument and can always fallback if groupid != 0. http://gerrit.openvpn.net/c/openvpn/+/621/comment/9ee83cff_cbebf4f4 : PS1, Line 277: * TMPL:<template name> template name or OID ? http://gerrit.openvpn.net/c/openvpn/+/621/comment/fcc24a46_78a084ec : PS1, Line 314: find_type = CERT_FIND_ANY; Shouldn't we use a more restrictive search with, say, CERT_FIND_HAS_PRIVATE_KEY? If there are multiple users on the client machine with certificates for each installed in the machine store, matching the template name alone could pick a certificate for which the user has no access to the private key and error out later. This could also significantly reduce the number of certificates to walk through. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/621?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia2c3e4c5c83ecccce1618c43b489dbe811de5351 Gerrit-Change-Number: 621 Gerrit-PatchSet: 1 Gerrit-Owner: ssbssa <ssb...@yahoo.de> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-CC: selvanair <selva.n...@gmail.com> Gerrit-Attention: plaisthos <arne-open...@rfc2549.org> Gerrit-Attention: flichtenheld <fr...@lichtenheld.com> Gerrit-Attention: ssbssa <ssb...@yahoo.de> Gerrit-Comment-Date: Mon, 03 Jun 2024 03:04:01 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
