Hi, > > Private and public key are still used. The patch stil uses > > certificates and TLS, it only replaces the check certificate of the > > peer's certificate against the CA with a hash check (certificate > > pinning if you want). > > > > So basically instead of saying that you trust all certificates signed > > by a CA, you only trust only those certifcates of which have hashes. A > > certificate pinning of an unknown CA is exactly the same. Since you > > cannot verify that certificate you add a one off certificate in your > > list of trusted certificates. > > Correct me if I'm wrong, but this approach allows for self-signed certificates > too, right?
Exactly! Client and server can use whatever certificate they like or make a self-signed one. All they need to do is to exchange their fingerprints over some trustworthy channel. Simple. Like SSH. Best regards, Simon
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
