Re: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

2020-09-10 Thread Arne Schwabe
Am 09.09.20 um 20:23 schrieb tincanteksup: > > > On 09/09/2020 11:21, Arne Schwabe wrote: >> Am 09.09.20 um 10:04 schrieb François Kooman: >>> On 9/8/20 6:38 PM, Arne Schwabe wrote: I really wonder which large deployment want to do that instead of a CA. I really understand the need for

Re: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

2020-09-09 Thread tincanteksup
On 09/09/2020 11:21, Arne Schwabe wrote: Am 09.09.20 um 10:04 schrieb François Kooman: On 9/8/20 6:38 PM, Arne Schwabe wrote: I really wonder which large deployment want to do that instead of a CA. I really understand the need for small and simple deployments. But for larger deployments a CA

Re: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

2020-09-09 Thread Arne Schwabe
Am 09.09.20 um 10:04 schrieb François Kooman: > On 9/8/20 6:38 PM, Arne Schwabe wrote: >> I really wonder which large deployment want to do that instead of a CA. >> I really understand the need for small and simple deployments. But for >> larger deployments a CA + CRL seems more useful for everythi

Re: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

2020-09-09 Thread François Kooman
On 9/8/20 6:38 PM, Arne Schwabe wrote: I really wonder which large deployment want to do that instead of a CA. I really understand the need for small and simple deployments. But for larger deployments a CA + CRL seems more useful for everything that I can come up with. It would be more for the

Re: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

2020-09-08 Thread Arne Schwabe
> One of the nice features of Jason's patch was that also for big(ger) > deployments you could get rid of the CA if you have another channel to > establish trust between client and server. I really wonder which large deployment want to do that instead of a CA. I really understand the need for smal

Re: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

2020-09-08 Thread François Kooman
On 9/8/20 5:41 PM, Arne Schwabe wrote: The main difference of this patch set to Jason's V1 version is that it does not rely on an external script on the server side and instead relys on an a inlined section. The downside is that this requires a server restart on adding a client but the upside is

[Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

2020-09-08 Thread Arne Schwabe
Setting up a CA even with the help of easy-tls and similar tools is difficult/tiresome. For small setups self-signed certificates are sufficient enough and restarting the server to add another client is generally not a big problem (when you need that capability a CA is better suited). This patch s