Hi, On Tue, Mar 28, 2017 at 02:35:59PM +0200, David Sommerseth wrote: > On 28/03/17 14:21, Gert Doering wrote: > > On Tue, Mar 28, 2017 at 02:11:26PM +0200, David Sommerseth wrote: > >>> That's great! This way, 2.4 does not have to change it's behaviour. > >>> Still, I think it makes sense to deprecate --ns-cert-type, and remove it > >>> in favour or --remote-cert-tls in openvpn 2.5. > >> > >> Based on the feedback and discussions in Fedora regarding to us removing > >> --tls-remote .... I actually think 2.5 is too early. > > > > Nobody suggested removing --remote-cert-tls. > > I don't think I tried to say that :) I mentioned --tls-remote in v2.4 > as that caused quite some noise. I actually had to add a patch in the > EPEL packages for EL6+EL7 bringing it back again, to ease these complaints.
Ah, *that* one. I see. So "the last time we deprecated and removed
one of our zillion stale options, people complained, so we're not going
to do it again"?
We need to communicate better what might affect users in new versions, so
they can test and complain/adjust in time (like, the stricter CRL handling
in 2.4, and - obviously - the --tls-remote bit)
> > This is about --ns-cert-type.
> Right :)
>
> >> We need to have a
> >> patch very soon complaining loudly in the log files
> >
> > Like, 57637d0f677d824dacdc83d858357ccc80723f45? :-)
>
> Ahh! I completely forgot about that patch. Good! It's even in v2.4.1
> already :)
Steffan was busy getting work done ;-)
> >> and get in touch
> >> with at least NetworkManager guys to ensure they have time to implement
> >> a solution when this goes away. So I think 2.6 is more realistic.
> >
> > Shouldn't be so hard to do a string-substitution in NM... with
> > 60b23236329e6921729f51e7689042a29c794a6b, this is really straightforward
>
> If the behaviour is really close by doing a substitution, this should be
> good enough. --tls-remote to --verify-x509-name is more complicated,
> due to character remapping and such ugly details.
Indeed.
So - this is something people need to test on their client/server certs.
Initially, it broke for ours (because the CA sets "more bits than needed",
and that confused the ku test on equality), but with the new check
"at least these bits, more are OK" all is fine.
> > (unless your certs are really, *really* weird, providing a proper
> > nsCert extention, but no proper keyUsage/extKeyUsage extentions).
>
> Well, despite weirdness occurring (Way too) often, I think we can live
> with that noise if we have given enough time to adopt. As long as we
> have a real and solid argument they have been doing things wrong in the
> beginning.
Indeed, again ;-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
