Hi,
I've been thinking about the code that I recently modified. The
handle_blob_item function checks if the blob markers (BEGIN CERTIFICATE
etc.) are present and returns false without consuming any lines if they're
missing. I fail to see the point, why not just copy everything between the
begin and end tags? This is simpler and more consistent, because for non-inline
certificates/keys/... this is also not checked, not to mention that pkcs12
blobs (which currently also don't work in nm-openvpn) don't have those markers
at all. It also makes error detection harder. If you import an OpenVPN
configuration with broken blob markers, nm-openvpn will silently ignore the
blobs and proceed with the import, leaving people unable to figure out what
went wrong. Otoh OpenVPN *will* tell you want went wrong if you try to use a
certificate with broken blob markers: "Cannot load CA certificate file
/home/mberndt/.cert/client-ca.pem (no entries were read) (OpenSSL)".
Oh, and there's another thing: afaics, if you don't use inline blobs but files
for the certificate/key/ca, nm-openvpn will not copy them somewhere safe
(~/.cert, say) – bad idea. Jane User will plug in her USB stick, import her
OpenVPN configuration from it and then start cursing the next day when she
can't connect any longer after unplugging it.
What do you guys think?
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list
