Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Gert Doering
Hi, On Mon, Feb 23, 2015 at 05:40:11PM +0300, Vasily Kulikov wrote: > > I agree -- the argument to --needs-external-cert should be optional. > > Note: Arne said about 'macos-keychain' prefix in the argument being > optional, not the argument itself being optional. Acually, I don't > think

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Vasily Kulikov
On Mon, Feb 23, 2015 at 12:55 +, David Woodhouse wrote: > On Mon, 2015-02-23 at 09:28 +0100, Arne Schwabe wrote: > > > > Am 23.02.15 um 09:04 schrieb Vasily Kulikov: > > > management-external-cert 'macosx-keychain:SUBJECT:c=US' > > > > > > With the approach in patch v3 a user has to start

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Vasily Kulikov
On Mon, Feb 23, 2015 at 08:04 -0500, Jonathan K. Bullard wrote: > On Mon, Feb 23, 2015 at 4:00 AM, Gert Doering wrote: > > > > On Mon, Feb 23, 2015 at 09:28:31AM +0100, Arne Schwabe wrote: > > > > What do you think of the change? > > > I like the idea. You could make the

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Jonathan K. Bullard
On Mon, Feb 23, 2015 at 8:10 AM, David Woodhouse wrote: > On Mon, 2015-02-23 at 13:59 +0100, Arne Schwabe wrote: >> >> All fine. My rationale was like, if I want a certificate with a certain >> SUBJECT (e.g. CN=schw...@mycoolca.com) etc. it should not matter for men >> wether

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Steffan Karger
On 02/23/2015 02:10 PM, David Woodhouse wrote: > On Mon, 2015-02-23 at 13:59 +0100, Arne Schwabe wrote: >> >> All fine. My rationale was like, if I want a certificate with a certain >> SUBJECT (e.g. CN=schw...@mycoolca.com) etc. it should not matter for men >> wether I get it from OS X, Windows or

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread David Woodhouse
On Mon, 2015-02-23 at 13:59 +0100, Arne Schwabe wrote: > > All fine. My rationale was like, if I want a certificate with a certain > SUBJECT (e.g. CN=schw...@mycoolca.com) etc. it should not matter for men > wether I get it from OS X, Windows or Android Certificate store. The canonical way of

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Jonathan K. Bullard
On Mon, Feb 23, 2015 at 4:00 AM, Gert Doering wrote: > > On Mon, Feb 23, 2015 at 09:28:31AM +0100, Arne Schwabe wrote: > > > What do you think of the change? > > I like the idea. You could make the macos-keychain in the string optional. > > What Arne said (both parts of it)

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Gert Doering
Hi, On Mon, Feb 23, 2015 at 09:28:31AM +0100, Arne Schwabe wrote: > > What do you think of the change? > I like the idea. You could make the macos-keychain in the string optional. What Arne said (both parts of it) :-) gert -- USENET is *not* the non-clickable part of WWW!

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Vasily Kulikov
Hi, On Sun, Feb 15, 2015 at 23:01 +0100, Gert Doering wrote: > Hi, > > On Sun, Feb 15, 2015 at 10:05:07PM +0100, Arne Schwabe wrote: > > Am 24.01.15 um 18:04 schrieb Vasily Kulikov: > [..] > > > OpenVPN itself gets new 'NEED-CERTIFICATE" command which is called when > > >

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-20 Thread Vasily Kulikov
Hi Gert, On Sun, Feb 15, 2015 at 23:01 +0100, Gert Doering wrote: > I hear Arne, and James also ACKed this ("based on testing", which Arne > did). > > I'm not merging it yet, though - Vasily, please provide a v4 of the patch > that adds: ... > With that, I'll merge right away :-) Thank you for

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-15 Thread Gert Doering
Hi, On Sun, Feb 15, 2015 at 10:05:07PM +0100, Arne Schwabe wrote: > Am 24.01.15 um 18:04 schrieb Vasily Kulikov: [..] > > OpenVPN itself gets new 'NEED-CERTIFICATE" command which is called when > > --management-external-cert is used. It is implemented as a multiline > > command very similar to

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-15 Thread Arne Schwabe
Am 24.01.15 um 18:04 schrieb Vasily Kulikov: > This patch adds support for using certificates stored in the Mac OSX > Keychain to authenticate with the OpenVPN server. This works with > certificates stored on the computer as well as certificates on hardware > tokens that support Apple's tokend

[Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-01-24 Thread Vasily Kulikov
This patch adds support for using certificates stored in the Mac OSX Keychain to authenticate with the OpenVPN server. This works with certificates stored on the computer as well as certificates on hardware tokens that support Apple's tokend interface. This patch version implements management