*** This bug is a security vulnerability ***
Public security bug reported:
Many VPN providers will give a Certificate Revocation List crl.pem file in
their OpenVPN packages. The CRL list is becoming increasingly important after
the Heartbleed bug was exposed, leaving many servers vulnerable to attack by
unauthorized certificates. Is there any way to manually pass the option
'crl-verify crl.pem' to openvpn by editing a file somewhere?
I'm having a difficult time understanding how the network-manager-openvpn
client actually works, and what arguments it can actually receive, given that
it doesn't 'truly' import .ovpn configuration files. I also have little clue
where the configurations are written in the file system as there are no manual
pages and no debugging/terminal output for the network-manager-openvpn client.
I can't even find the godforsaken binaries after installing the package. It
would be much better if one could literally just pass it a .ovpn file, but
seeing as that's not possible, I must request that the crl-verify option is
added in the near future so that my system is not vulnerable to attacks using
unauthorized certificates.
** Affects: network-manager-openvpn (Ubuntu)
Importance: Undecided
Status: New
** Tags: crl openvpn
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1618286
Title:
Critical security flaw: Missing crl-verify openvpn option
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1618286/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
