Hi, On Sun, Jan 15, 2017 at 09:52:46AM +0100, Steffan Karger wrote: > On 15-01-17 07:17, Pavel Raiskup wrote: [..] > > This option is primarily designed for systems where users are > > allowed to manage trusted authorities for whole system (in one > > consolidated file; usually implemented in 'ca-certificates' > > package). [..] > > Feature-NAK. OpenVPN should use it's own CA, not the system CA list.
I could see the use-case (enterprise wide list of trusted CAs, and use of it compiled into an enterprise-distribute openvpn bundle), but I agree with Steffan that it's not something we need to have in OpenVPN - "--ca" can reference to a CA bundle today, and enterprise- distributed config files reference the enterprise-maintained CA bundle, it will just work without code changes. My main reason for not liking this is "another compile-time option" - someone has to maintain and test this, with and without this option, which adds to our maintenance nightmare. So the gain has to be significant. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel