On 28/03/17 14:21, Gert Doering wrote: > Hi, > > On Tue, Mar 28, 2017 at 02:11:26PM +0200, David Sommerseth wrote: >>> That's great! This way, 2.4 does not have to change it's behaviour. >>> Still, I think it makes sense to deprecate --ns-cert-type, and remove it >>> in favour or --remote-cert-tls in openvpn 2.5. >> >> Based on the feedback and discussions in Fedora regarding to us removing >> --tls-remote .... I actually think 2.5 is too early. > > Nobody suggested removing --remote-cert-tls.
I don't think I tried to say that :) I mentioned --tls-remote in v2.4 as that caused quite some noise. I actually had to add a patch in the EPEL packages for EL6+EL7 bringing it back again, to ease these complaints. > This is about --ns-cert-type. Right :) >> We need to have a >> patch very soon complaining loudly in the log files > > Like, 57637d0f677d824dacdc83d858357ccc80723f45? :-) Ahh! I completely forgot about that patch. Good! It's even in v2.4.1 already :) >> and get in touch >> with at least NetworkManager guys to ensure they have time to implement >> a solution when this goes away. So I think 2.6 is more realistic. > > Shouldn't be so hard to do a string-substitution in NM... with > 60b23236329e6921729f51e7689042a29c794a6b, this is really straightforward If the behaviour is really close by doing a substitution, this should be good enough. --tls-remote to --verify-x509-name is more complicated, due to character remapping and such ugly details. > (unless your certs are really, *really* weird, providing a proper > nsCert extention, but no proper keyUsage/extKeyUsage extentions). Well, despite weirdness occurring (Way too) often, I think we can live with that noise if we have given enough time to adopt. As long as we have a real and solid argument they have been doing things wrong in the beginning. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
