Bug 1413343 - RFE: read and respect the system-default ca-bundle
Summary: RFE: read and respect the system-default ca-bundle
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openvpn
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-15 06:27 UTC by Pavel Raiskup
Modified: 2017-01-15 09:54 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-15 09:54:41 UTC
Type: Bug


Attachments (Terms of Use)

Description Pavel Raiskup 2017-01-15 06:27:47 UTC
Similarly to 'curl', 'python-requests' or 'wget', it would be nice if openvpn
respected ca-bundle on Fedora (and RHEL eventually).  This is not yet
implemented upstream, so I tried to submit patch [1], but other proposed
solution would be welcome, too.

[1] https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13878.html

Comment 1 David Sommerseth 2017-01-15 09:54:41 UTC
This is a VERY BAD idea.

OpenVPN should NOT use or depend on any public CA instances. This actually reduces the authentication level to a bare minimum. Mounting a MITM attack would then be extremely simple:  Configure a new server using a Lets Encrypt issued certificate, redirect all OpenVPN detected traffic on your network to this new server and you've won.

This would be a dreamscenario for The Great Firewall of China and other national routing points implementing complete network surveillance.

OpenVPN should ALWAYS be configured using non-public/private CA instances, as that makes much harder to trick clients into connecting to the wrong server.

I'm closing this one, as this will not be considered for upstream inclusion.  I am speaking on behalf as an upstream OpenVPN community developer and OpenVPN Technologies, Inc employee.


Note You need to log in before you can comment on or make changes to this bug.