I think this option should remain. This is useful for temporarily disabling users for VPNs that don't incorporate user/pass authentication. I am opposed to deprecating this function.
----- Eric F Crist On Feb 4, 2013, at 01:43:10, Adriaan de Jong <dej...@fox-it.com> wrote: >> -----Original Message----- >> From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] >> Sent: zondag 3 februari 2013 15:52 >> To: Jan Just Keijser >> Cc: openvpn-devel@lists.sourceforge.net >> Subject: Re: [Openvpn-devel] option --crl-verify PATH dir >> >> On 03/02/13 12:02, Jan Just Keijser wrote: >>> hi, >>> >>> what is the second option to '--crl-verify' supposed to do? in >>> options.c it sets a flag SSLF_CRL_VERIFY_DIR which then triggers the >>> function 'verify_check_crl_dir'. However, this function does not seem >>> to do anything.... >> >> Quickly looked at the code ... with the 'dir' flag (which sets >> SSLF_CRL_VERIFY_DIR), it's no longer a typical CRL file validation. If >> you create (touch) a file in the defined directory with the file name >> matching a particular client's serial number; the connection will be >> denied. >> > > Confirmed, with the footnote that this is a weird way of going about things. > > I would like to suggest deprecating this option from 2.4 (or 2.3.1?) onwards, > and forcing people to either: > > - Create an actual CRL file. This is not difficult. In general, people using > OpenVPN should be managing their own CA in the OpenVPN world. > - Failing that, create a custom script to do this. > > I'm always open for discussion, but imho this should not be core > functionality in OpenVPN. > > Kind regards, > Adriaan > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_jan > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
