After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 782309 - RFE: openvpn: Add support for --crl-verify
RFE: openvpn: Add support for --crl-verify
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: VPN: openvpn
unspecified
Other Linux
: Normal normal
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
Depends on:
Blocks: nm-review
 
 
Reported: 2017-05-08 00:49 UTC by dimitris
Modified: 2018-03-28 22:02 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
[PATCH] service,properties: support the --crl-verify option (18.24 KB, patch)
2018-03-28 07:30 UTC, Beniamino Galvani
none Details | Review

Description dimitris 2017-05-08 00:49:56 UTC
I recently was faced with having to revoke a server's certificate.  Since I have clients using nm-openvpn, not being able to specify a CRL file, I had to redo the whole PKI tree.
Comment 1 Mincho Gaydarov 2018-03-22 13:34:01 UTC
Description of problem:
When configuring OpenVPN using the NetworkManager UI, there is no option to specify CRL against which to check the server certificate provided by the OpenVPN server.

Version-Release number of selected component (if applicable):
NetworkManager-openvpn-1.8.0-3.fc27.x86_64
NetworkManager-openvpn-gnome-1.8.0-3.fc27.x86_64
openvpn-2.4.5-1.fc27.x86_64

How reproducible:
Create a new OpenVPN connection using the NetworkManager UI.

Steps to Reproduce:
1. Start creating a new OpenVPN connection using the NetworkManager

Actual results:
There is no place where the user can specify CRL which can be used to validate server certificate

Expected results:
In the UI the user should be able to provide CRL that should be used to validate the server certificate.


Additional info:
This increases the risk of MITM attacks because if the server key is compromised and revoked, the client will still connect to that server if the cert is not validated using CRL.

I'm running the latest stable Fedora.
Comment 2 Thomas Haller 2018-03-22 14:33:56 UTC
Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1559165
Comment 3 Beniamino Galvani 2018-03-28 07:30:49 UTC
Created attachment 370234 [details] [review]
[PATCH] service,properties: support the --crl-verify option
Comment 4 Thomas Haller 2018-03-28 13:59:42 UTC
(In reply to Beniamino Galvani from comment #3)
> Created attachment 370234 [details] [review] [review]
> [PATCH] service,properties: support the --crl-verify option

lgtm