On 25/05/18 09:41, Simon Rozman wrote: > Hi, > >>> Private and public key are still used. The patch stil uses >>> certificates and TLS, it only replaces the check certificate of the >>> peer's certificate against the CA with a hash check (certificate >>> pinning if you want). >>> >>> So basically instead of saying that you trust all certificates signed >>> by a CA, you only trust only those certifcates of which have hashes. A >>> certificate pinning of an unknown CA is exactly the same. Since you >>> cannot verify that certificate you add a one off certificate in your >>> list of trusted certificates. >> >> Correct me if I'm wrong, but this approach allows for self-signed > certificates >> too, right? > > Exactly! Client and server can use whatever certificate they like or make a > self-signed one. All they need to do is to exchange their fingerprints over > some trustworthy channel. > > Simple. Like SSH.
As a side note, this approach might not need to disable the CA: a preliminary check against the trusted fingerprints can be performed and then fallback to the normal CA check in case of failure (but I'd make openvpn *clearly* log what is happening to avoid debug nightmares). Regards, -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
