Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1380?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review+2 by plaisthos
The change is no longer submittable: Code-Review and checks~ChecksSubmitRule
are unsatisfied now.
Change subject: doc: Document potential filesystem pitfalls of client-config-dir
......................................................................
doc: Document potential filesystem pitfalls of client-config-dir
Reported-By: [email protected]
Change-Id: I23ea00dbd62271838aa72e913b743cc679ff2386
Signed-off-by: Frank Lichtenheld <[email protected]>
---
M doc/man-sections/server-options.rst
1 file changed, 10 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/80/1380/2
diff --git a/doc/man-sections/server-options.rst
b/doc/man-sections/server-options.rst
index 5243a06..739be22 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -144,6 +144,16 @@
``--push-reset``, ``--push-remove``, ``--iroute``, ``--ifconfig-push``,
``--vlan-pvid`` and ``--config``.
+ **Note:** OpenVPN uses the CN exactly as written in the certificate.
+ But since this is a file access the filesystem might interfere.
+ Importantly OpenVPN will consider two CNs that only differ in case as
+ different names but a case-insensitive filesystem (like you might
+ encounter on Windows or macOS) will treat them as the same. When you
+ generate your certificates make sure that the CNs are sufficiently
+ different to not cause issues. When trusting an external CA note that
+ this is a potential attack vector via maliciously generated
+ certificates that exploit this issue.
+
--client-to-client
Because the OpenVPN server mode handles multiple clients through a
single tun or tap interface, it is effectively a router. The
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1380?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I23ea00dbd62271838aa72e913b743cc679ff2386
Gerrit-Change-Number: 1380
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
