> Isn't there any way to add an option to NM OVPN? I need 'ns-cert-type
server' to be able to connect to my workplace.

> Comment #8 also indicates a security vulnerability, doesn't it?

Yes, lack of ns-cert-type server support is indeed a security
vulnerability. It affects sites that use a single CA to sign both client
and server certificates. The risk is that anyone's client certificate
can be used to impersonate the server; for example, to execute a man-in-
the-middle attack.

One workaround would be to use the newer "--remote-cert-tls server"
option instead, but that requires an X.509v3 extension in the server
certificate, which some sites do not have.

Another workaround would be to use the "--verify-x509-name" option, but
network-manager-openvpn does not support it.

Another workaround would be to use the "--tls-remote" option, but that
one is deprecated, and network-manager-openvpn's support for it breaks
if there is a space in the server certificate's Common Name field.

https://openvpn.net/index.php/open-source/documentation/howto.html#mitm

In short, NetworkManager's OpenVPN support is not merely weak; it is
severely broken. This particular break (which is not the only one) puts
users at risk by silently discarding important security precautions that
are configured in the .ovpn files it "imports".

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/364101

Title:
  network-manager-openvpn does not support all options supported by
  openvpn

To manage notifications about this bug go to:
https://bugs.launchpad.net/network-manager-openvpn/+bug/364101/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to