GNOME Bugzilla – Bug 782309
RFE: openvpn: Add support for --crl-verify
Last modified: 2018-03-28 22:02:59 UTC
I recently was faced with having to revoke a server's certificate. Since I have clients using nm-openvpn, not being able to specify a CRL file, I had to redo the whole PKI tree.
Description of problem: When configuring OpenVPN using the NetworkManager UI, there is no option to specify CRL against which to check the server certificate provided by the OpenVPN server. Version-Release number of selected component (if applicable): NetworkManager-openvpn-1.8.0-3.fc27.x86_64 NetworkManager-openvpn-gnome-1.8.0-3.fc27.x86_64 openvpn-2.4.5-1.fc27.x86_64 How reproducible: Create a new OpenVPN connection using the NetworkManager UI. Steps to Reproduce: 1. Start creating a new OpenVPN connection using the NetworkManager Actual results: There is no place where the user can specify CRL which can be used to validate server certificate Expected results: In the UI the user should be able to provide CRL that should be used to validate the server certificate. Additional info: This increases the risk of MITM attacks because if the server key is compromised and revoked, the client will still connect to that server if the cert is not validated using CRL. I'm running the latest stable Fedora.
Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1559165
Created attachment 370234 [details] [review] [PATCH] service,properties: support the --crl-verify option
(In reply to Beniamino Galvani from comment #3) > Created attachment 370234 [details] [review] [review] > [PATCH] service,properties: support the --crl-verify option lgtm
Applied to master: https://git.gnome.org/browse/network-manager-openvpn/commit/?id=214815f72054544298ef8b44544606844f117616