*** This bug is a security vulnerability *** Public security bug reported:
Many VPN providers will give a Certificate Revocation List crl.pem file in their OpenVPN packages. The CRL list is becoming increasingly important after the Heartbleed bug was exposed, leaving many servers vulnerable to attack by unauthorized certificates. Is there any way to manually pass the option 'crl-verify crl.pem' to openvpn by editing a file somewhere? I'm having a difficult time understanding how the network-manager-openvpn client actually works, and what arguments it can actually receive, given that it doesn't 'truly' import .ovpn configuration files. I also have little clue where the configurations are written in the file system as there are no manual pages and no debugging/terminal output for the network-manager-openvpn client. I can't even find the godforsaken binaries after installing the package. It would be much better if one could literally just pass it a .ovpn file, but seeing as that's not possible, I must request that the crl-verify option is added in the near future so that my system is not vulnerable to attacks using unauthorized certificates. ** Affects: network-manager-openvpn (Ubuntu) Importance: Undecided Status: New ** Tags: crl openvpn ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1618286 Title: Critical security flaw: Missing crl-verify openvpn option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1618286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs