> Isn't there any way to add an option to NM OVPN? I need 'ns-cert-type server' to be able to connect to my workplace.
> Comment #8 also indicates a security vulnerability, doesn't it?
Yes, lack of ns-cert-type server support is indeed a security vulnerability. It affects sites that use a single CA to sign both client and server certificates. The risk is that anyone's client certificate can be used to impersonate the server; for example, to execute a man-in-the-middle attack.
One workaround would be to use the newer "--remote-cert-tls server" option instead, but that requires an X.509v3 extension in the server certificate, which some sites do not have.
Another workaround would be to use the "--verify-x509-name" option, but network-manager-openvpn does not support it.
Another workaround would be to use the "--tls-remote" option, but that one is deprecated, and network-manager-openvpn's support for it breaks if there is a space in the server certificate's Common Name field.
In short, NetworkManager's OpenVPN support is not merely weak; it is severely broken. This particular break (which is not the only one) puts users at risk by silently discarding important security precautions that are configured in the .ovpn files it "imports".
> Isn't there any way to add an option to NM OVPN? I need 'ns-cert-type server' to be able to connect to my workplace.
> Comment #8 also indicates a security vulnerability, doesn't it?
Yes, lack of ns-cert-type server support is indeed a security vulnerability. It affects sites that use a single CA to sign both client and server certificates. The risk is that anyone's client certificate can be used to impersonate the server; for example, to execute a man-in-the-middle attack.
One workaround would be to use the newer "--remote-cert-tls server" option instead, but that requires an X.509v3 extension in the server certificate, which some sites do not have.
Another workaround would be to use the "--verify- x509-name" option, but network- manager- openvpn does not support it.
Another workaround would be to use the "--tls-remote" option, but that one is deprecated, and network- manager- openvpn' s support for it breaks if there is a space in the server certificate's Common Name field.
https:/ /openvpn. net/index. php/open- source/ documentation/ howto.html# mitm
In short, NetworkManager's OpenVPN support is not merely weak; it is severely broken. This particular break (which is not the only one) puts users at risk by silently discarding important security precautions that are configured in the .ovpn files it "imports".