Alon Bar-Lev wrote:
On Wednesday 01 November 2006 04:54, James Yonan wrote:
OpenVPN 2.2 or 2.5
------------------
This release will be open to patches which extend OpenVPN
functionality without requiring a major rewrite of the core.
Features that fit into these constraints include allowing the
OpenVPN server to listen on multiple TCP and UDP ports
simultaneously or improving/merging additional IPv6 functionality.
There are a couple of useful new features already finished for
OpenVPN 2.2:
* Added connection profiles feature. See <connection>
documentation in man page.
* Added --disconnect-while-inactive feature. See
man page.
Download via subversion:
svn co
https://svn.openvpn.net/projects/openvpn/branches/BETA22/openvpn
What about:
1. Handling privilege dropping correctly, so that client can drop
privileges before connect.
Actually there is flexibility here -- the client can drop privileges
earlier by config file option, but it generally doesn't until after the
connection is established so that it can accept pushed routes from the
server -- we could fix this by using a split privilege model, but then
you have to deal with the extra complexity.
2. Allow management interface to prompt for identity (out of several),
so that smartcard id can be chosen by the user. This will enable the
computer to have only one OpenVPN configuration file, and still suite
many users.
3. Allow the management to perform private key operations, so that
pre-authenticated keys can be used out of an agent, or different
sources, such as KDE, smartcards or any other storage. (This makes 2
obsolete).
The will enable OpenVPN to be configured with the same settings for
every users and every computer in a workgroup, and allow the GUI to
prompt the user for the right credentials, remember user settings and
such.
It is important to take the CryptoAPI and PKCS#11 out of the daemon,
since the daemon context will not always have access to smartcard
resources.
So CryptoAPI and PKCS#11 code will be moved out of OpenVPN executable
into a library so that management application will be able to use
this functionality if they wish to, or replace it with different
implementation.
The library will also implement regular PKCS#12 based identity, so
that the daemon will not have direct access to users' keys.
As part of this, a simple management client console application will
be implemented, to allow users a quick startup.
4. On my TODO there is the certificate chain verification, and CRL
dynamic update... To allow multiple CAs and update CRL on request.
I think it's great if you are volunteering to do this. It's an
interesting idea, to move CryptoAPI and PKCS#11 code out of OpenVPN
executable into a library that would be used by the GUI. My only
concern is that I don't want to make it much more difficult to write an
OpenVPN GUI. So I'm thinking that this would be an optional capability
that GUIs could choose to implement.
James
