openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

crypto: Add the --ca-pkcs11-id option

Open lkundrak opened this issue 9 years ago • 4 comments

Hi,

We're working on integrating NetworkManager with p11-kit's PKCS#11 remoting to allow using PKCS#11 with user initiated VPN (and Wi-Fi) connections: https://bugzilla.gnome.org/show_bug.cgi?id=767872

Currently OpenVPN seems to do pretty well with PKCS#11. That is, with an exception of CA handling. Users tend to need to supply their CA certificate and place it in their home directory. We'd like to use PKCS#11 instead because then we could avoid letting the VPN daemon being able to access files user's home directly (SELinux is already really unhappy about this) and would be able to use a nice certificate picker. Integration with smart cards would then be easier too.

I'm wondering if this and the patch makes sense to you, before I post it to the list.

Thank you, Lubo

lkundrak avatar Jun 28 '16 08:06 lkundrak

At first sight, the option and the patch make sense (no time nor brains to do a proper review now, sorry). One first nitpick/bike shed though, I'd prefer to have all pkcs11 options start with --pkcs11, so would suggest to rename it to --pkcs11-ca-id.

syzzer avatar Jun 28 '16 21:06 syzzer

One related thing: won't a lot of other options also fail when openvpn can't access the homedir? Shouldn't a user be able to run openvpn with config files in the homedir, or use something like --tls-auth (which people should really use!) or --log with files in their homedir?

syzzer avatar Jun 28 '16 21:06 syzzer

Hi,

On Tue, Jun 28, 2016 at 02:17:04PM -0700, syzzer wrote:

One related thing: won't a lot of other options also fail when openvpn can't access the homedir? Shouldn't a user be able to run openvpn with config files in the homedir, or use something like --tls-auth (which people should really use!) or --log with files in their homedir?

Well, you could always have the TLS stuff inline, and log to syslog...

All my openvpn configs do not read anything from the home dir, except the initial .ovpn conf file...

gert

USENET is not the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [email protected] fax: +49-89-35655025 [email protected]

cron2 avatar Jun 29 '16 07:06 cron2

... which is an excellent point: you could also just inline the CA cert in the config, instead of specifying a path. That should work fine right now. (And if you decide to do so, please also support inlining of --tls-auth).

Still, something like --pkcs11-ca-id might make sense.

syzzer avatar Aug 02 '16 15:08 syzzer

No reply from the author for a bunch of time. Closing.

Should anybody be willing to work on this task, please send the resulting patch to the mailing list.

ordex avatar Sep 16 '22 18:09 ordex