On Fri, 2008-05-23 at 07:57 +0300, Dimitris Zilaskos wrote: > On Thu, 22 May 2008, Dan Williams wrote: > > I didn't originally write that bit, but what's the impact of getting rid > > of the check, if any? That openvpn will just accept any old certificate > > that it gets sent from the server? > > > > Dan > > > No, this check examines if the certificate has the nsCertType field set to > "client", it has nothing to do with certificate age. As I mentioned in my > previous mail, it is an old depracated field. It has been replaced by > extendedkeyusage (http://www.ietf.org/rfc/rfc3280.txt?number=3280). >
Also worth noting that it has nothing to do with validating the certificate. The question is should it be removed entirely or made a preference in nm-openvpn-properties? Removing is as simple as removing the relevant lines (as indicated in the thread referenced earlier). Making it a preference should be relatively straight forward as well. I'd imagine a patch would be the best way to make this happen. If there aren't any takers, I'll whip one up next week to make the ns-cert-type openvpn option configurable (none, client, server). -casey _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
