Hi, On Sun, Jan 15, 2017 at 09:52:46AM +0100, Steffan Karger wrote: > On 15-01-17 07:17, Pavel Raiskup wrote: [..] > > This option is primarily designed for systems where users are > > allowed to manage trusted authorities for whole system (in one > > consolidated file; usually implemented in 'ca-certificates' > > package). [..] > > Feature-NAK. OpenVPN should use it's own CA, not the system CA list.
I could see the use-case (enterprise wide list of trusted CAs, and
use of it compiled into an enterprise-distribute openvpn bundle),
but I agree with Steffan that it's not something we need to have in
OpenVPN - "--ca" can reference to a CA bundle today, and enterprise-
distributed config files reference the enterprise-maintained CA bundle,
it will just work without code changes.
My main reason for not liking this is "another compile-time option" -
someone has to maintain and test this, with and without this option,
which adds to our maintenance nightmare. So the gain has to be
significant.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
