Hi, Gert has been faster to reply :-)
On 04/06/18 15:15, Gert Doering wrote:
> Hi,
>
> On Mon, Jun 04, 2018 at 09:10:23AM +0200, Jan Just Keijser wrote:
>> What's the particular use case for putting tls-auth files in connection
>> blocks?
>
> "I have one existing server that is not using tls-auth yet, and a new one
> that has tls-auth, and I want both in the same config file"
>
Exactly. Or even extend the same reasoning to tls-crypt:
"one server was migrated to tls-crypt and one is still on tls-auth, and
both have to be in the same config file".
> Plus, what Steffan mentioned: tls-auth rollover
>
>> Does it apply only to tls-auth/tls-crypt files or also the
>> certificate/private keys? I could see a use case for that as well...
>
> Right now, only tls-auth/tls-crypt, but this is the same question I asked
> on IRC yesterday :-)
>
> The "traditional" use case ("my key/cert is my identity") would see
> "a single identity for all remotes", but indeed, upgrading to a new server
> with a new CA (--ca -> <connection>) and newly distributed identities
> might also be an interesting use case. For @work, I've decided to tackle
> this part with "just distribute two .ovpn files", but it's worth thinking
> through the idea.
>
Once the issue with "--persist-key" has been fixed (will be in v2 of
this patchset) I think it should be easy[tm] to also implement
key/cert/ca per connection block.
Cheers,
--
Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
