Re: openvpn and network manager



On Fri, 2008-05-23 at 07:57 +0300, Dimitris Zilaskos wrote:
> On Thu, 22 May 2008, Dan Williams wrote:
> > I didn't originally write that bit, but what's the impact of getting rid
> > of the check, if any?  That openvpn will just accept any old certificate
> > that it gets sent from the server?
> >
> > Dan
> 
> 
> No, this check examines if the certificate has the nsCertType field set to 
> "client", it has nothing to do with certificate age. As I mentioned in my 
> previous mail, it is an old depracated field. It has been replaced by 
> extendedkeyusage (http://www.ietf.org/rfc/rfc3280.txt?number=3280).
> 

Also worth noting that it has nothing to do with validating the
certificate.

The question is should it be removed entirely or made a preference in
nm-openvpn-properties? Removing is as simple as removing the relevant
lines (as indicated in the thread referenced earlier). Making it a
preference should be relatively straight forward as well. I'd imagine a
patch would be the best way to make this happen. If there aren't any
takers, I'll whip one up next week to make the ns-cert-type openvpn
option configurable (none, client, server).

-casey





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]