Re: openvpn and network manager

From: Dimitris Zilaskos <dzila tassadar physics auth gr>
To: Dan Williams <dcbw redhat com>
Cc: networkmanager-list gnome org
Subject: Re: openvpn and network manager
Date: Fri, 23 May 2008 07:57:22 +0300 (EEST)


On Thu, 22 May 2008, Dan Williams wrote:

On Thu, 2008-05-22 at 16:13 +0400, Vasiliy G Tolstov wrote:

On Thu, 2008-05-22 at 14:52 +0300, Dimitris Zilaskos wrote:

I did some research on that and also contacted the local CA operators.
They told me that ns-cert-type is old,propriety and depracated and does
not significantly add to security. Here are some references:

http://osdir.com/ml/java.ejbca.devel/2005-11/msg00003.html
http://openvpn.net/archive/openvpn-users/2007-03/msg00062.html
http://readlist.com/lists/postfix.org/postfix-users/12/64401.html
http://emperor.canarie.ca/pipermail/tagpma-general/2007-January/001326.html

In any case, this certificate extension is never gonna be
supported in several educational large PKI infrastructures that I (and
serveral other academic users as well) employ. So lack of this feature
will mean loss of a large audience for the networkmanager tool.

Can we have a fix please ?:)


yes, can we have a fix ? or option to disable this... ?


I didn't originally write that bit, but what's the impact of getting rid
of the check, if any?  That openvpn will just accept any old certificate
that it gets sent from the server?

Dan

No, this check examines if the certificate has the nsCertType field set to"client", it has nothing to do with certificate age. As I mentioned in myprevious mail, it is an old depracated field. It has been replaced byextendedkeyusage (http://www.ietf.org/rfc/rfc3280.txt?number=3280).


In any case, no modern CA should support it.

And frankly I do find its whole concept contradicting. For example I mayuse an x509 host certificate for my system to have an ssl enabled webserver. I might also need to use the same certificate to establish an openvpnto my laboratory or business. That makes my system both "client" and"server".


Best regards,

--
============================================================================

Dimitris Zilaskos

Department of Physics @ Aristotle University of Thessaloniki , Greece
PGP key : http://tassadar.physics.auth.gr/~dzila/pgp_public_key.asc
	  http://egnatia.ee.auth.gr/~dzila/pgp_public_key.asc
MD5sum  : de2bd8f73d545f0e4caf3096894ad83f  pgp_public_key.asc
============================================================================

Follow-Ups:
- Re: openvpn and network manager
  - From: Casey Harkins

References:
- openvpn and network manager
  - From: Dimitris Zilaskos
- Re: openvpn and network manager
  - From: Dimitris Zilaskos
- Re: openvpn and network manager
  - From: Vasiliy G Tolstov
- Re: openvpn and network manager
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]