On Wed, Feb 14, 2024 at 05:18:21PM +0000, tincantech wrote: > On Wednesday, 14 February 2024 at 15:22, Frank Lichtenheld > <fr...@lichtenheld.com> wrote: > > > Meeting summary for 14 February 2024: > > <snip> > > > * New: Easy-rsa in Windows installers > > easy-rsa has included pre-built Windows binaries for a long time. But with > > Windows 11 they do not seem to work correctly anymore in some cases. > > Just to clarify: > Easy-RSA works perfectly as-is on W10 & W11 but requires Windows Admin access. > Without Windows Admin Access, Easy-RSA on W11 does not work with the now 10 > year > old MKSH:sh.exe
Either way, I think everyone agrees that the current situation of shipping a ten-year old executable that causes some problems on the latest version of Windows isn't ideal. > This is annoying but it isn't a complete deal-breaker. Understood. The question about removing easy-rsa isn't so much about whether it is unusable in the current release. But we do not want to leave it in the current state. So, if we need to invest time and effort now anyway to update this to a modern standard (e.g. in terms of supply chain security), we want to use the opportunity to ask ourselves whether bundling easy-rsa with openvpn actually provides a value for the openvpn project and its users. It definitely has a cost. Most openvpn developers do not see a corresponding value in it (or they did not mention it so far). When using openvpn as a client, easy-rsa is not useful. If setting up a p2p connection, peer fingerprint can be used which requires openssl but not easy-rsa. So are there people that actually use openvpn as a server on Windows and do not have their own separate PKI and so use the bundled easy-rsa? That is something we would like to learn more about. Note that none of this negates the usefulness of easy-rsa. This is specifically about the usefulness of easy-rsa bundled in the openvpn Windows installer. Regards, -- Frank Lichtenheld _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
