On Mon, Feb 23, 2015 at 4:00 AM, Gert Doering <g...@greenie.muc.de> wrote: > > On Mon, Feb 23, 2015 at 09:28:31AM +0100, Arne Schwabe wrote: > > > What do you think of the change? > > I like the idea. You could make the macos-keychain in the string optional. > > What Arne said (both parts of it) :-)
I agree -- the argument to --needs-external-cert should be optional. Note: the argument to --needs-external-cert should be passed on to "RSA_SIGN", too. (I think Vasily omitted that from his writeup.) So the idea would be: * Add an optional UTF-8 string argument to --needs-external-cert. (Perhaps the docs should say this requires support from the management interface software and that currently such support is only available when using certain GUIs on OS X.) * OpenVPN passes that argument to RSA_SIGN and NEEDS-CERTIFICATE, passing an empty string if the argument does not appear. * OS X GUIs such as Tunnelblick and Viscosity see the new RSA_SIGN or NEEDS-CERTIFICATE argument and use keychain-mcd to deal with it. Other GUIs ignore it or use something that does something equivalent to what keychain-mcd does on OS X. I'm not sure exactly how to add an argument to RSA_SIGN and NEEDS-CERTIFICATE without breaking existing management interface software but assume that is possible. (Also, the argument may need to be escaped when it is passed to RSA_SIGN or NEEDS-CERTIFICATE if it contains characters that are used as delimiters.)
