On Fri, 2008-05-23 at 14:00 -0500, Casey Harkins wrote: > On Fri, 2008-05-23 at 07:57 +0300, Dimitris Zilaskos wrote: > > On Thu, 22 May 2008, Dan Williams wrote: > > > I didn't originally write that bit, but what's the impact of getting rid > > > of the check, if any? That openvpn will just accept any old certificate > > > that it gets sent from the server? > > > > > > Dan > > > > > > No, this check examines if the certificate has the nsCertType field set to > > "client", it has nothing to do with certificate age. As I mentioned in my > > previous mail, it is an old depracated field. It has been replaced by > > extendedkeyusage (http://www.ietf.org/rfc/rfc3280.txt?number=3280). > > > > Also worth noting that it has nothing to do with validating the > certificate. > > The question is should it be removed entirely or made a preference in > nm-openvpn-properties? Removing is as simple as removing the relevant > lines (as indicated in the thread referenced earlier). Making it a > preference should be relatively straight forward as well. I'd imagine a > patch would be the best way to make this happen. If there aren't any > takers, I'll whip one up next week to make the ns-cert-type openvpn > option configurable (none, client, server).
A patch to just remove the check entirely would be fine with me. It doesn't sound like we need it at all. Dan _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
