-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28/02/12 19:42, Alon Bar-Lev wrote: > 2012/2/28 David Sommerseth <openvpn.l...@topphemmelig.net>: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 28/02/12 19:17, Carsten Krüger wrote: >>> Hello Alon, >>> >>> ABL> This is *THE* missing functionality in Windows environment. >>> ABL> It seems that nobody interested in developing proper UI using >>> ABL> management interface for Windows. ABL> Same goes to proper >>> smartcard support. >>> >>> Developing the UI (command line) would be trivial but to my >>> knowledge (I'm reading the mailinglist for last 7 years) there is >>> no management interface in openvpn that would allow this. >>> >> >> Have you seen this document? (management/management-notes.txt) >> <http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=blob_plain;f=management/management-notes.txt;hb=master> >> >> >> Especially look for all the 'pkcs11' prefixed calls, like >> pkcs11-id-count, pkcs11-id-get. Further James implemented a new >> feature for the management interface where you can pass the >> certificate this way too. Unfortunately, as Alon pointed out, this >> has not yet been documented well - except in the commit log. > > These features are mine. I wrote these.... and the whole PKCS#11 > layer, and many other... like the ability to wrap the iproute2. They > are good, but not great. Why? Because the openvpn daemon it-self loads > the PKCS#11 provider. This is a security violation. The PKCS#11 > provider should be loaded by the UI, so the daemon cannot interact > with it at will.
Agreed! And I remember this was part of the discussions at FOSDEM. How should the GUI communicate in regards to the PKCS#11 layer, and how to provide the proper information towards the core OpenVPN process. We were not aware of the --management-external-key at that point, but I think this is the natural way to look now. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9NIykACgkQDC186MBRfrqdvQCgpOTCxegtLzCPaQ6eOnxfuCOA v58AnA2d/xD1/zhXZRj/SWqplv/t//mV =cDMr -----END PGP SIGNATURE-----
