> Isn't there any way to add an option to NM OVPN? I need 'ns-cert-type server' to be able to connect to my workplace.
> Comment #8 also indicates a security vulnerability, doesn't it? Yes, lack of ns-cert-type server support is indeed a security vulnerability. It affects sites that use a single CA to sign both client and server certificates. The risk is that anyone's client certificate can be used to impersonate the server; for example, to execute a man-in- the-middle attack. One workaround would be to use the newer "--remote-cert-tls server" option instead, but that requires an X.509v3 extension in the server certificate, which some sites do not have. Another workaround would be to use the "--verify-x509-name" option, but network-manager-openvpn does not support it. Another workaround would be to use the "--tls-remote" option, but that one is deprecated, and network-manager-openvpn's support for it breaks if there is a space in the server certificate's Common Name field. https://openvpn.net/index.php/open-source/documentation/howto.html#mitm In short, NetworkManager's OpenVPN support is not merely weak; it is severely broken. This particular break (which is not the only one) puts users at risk by silently discarding important security precautions that are configured in the .ovpn files it "imports". -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/364101 Title: network-manager-openvpn does not support all options supported by openvpn To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager-openvpn/+bug/364101/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
