|
|
Since secure certificate management implies that the user generates a
key and CSR independently, the user can choose not to encrypt that
certificate at generation time. Further, even if the private key is
generated by a "trusted" third party and provided to the user (bad! --
means the private key touched someone else's equipment, had to be moved
between machines, all of these creating points of vulnerability) with an
encrypted password already present (also bad -- means that password had
to be known by someone other than the user at some point), the user has
the ability to reencrypt the certificate with a different password at
some point in the future, so you *can't* know that the certificate is
encrypted.
With auth-user-pass, circumventing the password prompt is significantly
harder -- the "easiest" way requires a recompiled OpenVPN client -- and
there are server-side measures which can be taken to ensure that users'
passwords are strong and frequently rotated (which a purely client-side
password used to encrypt a key will almost never be).
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-02/msg00052.html on line 193
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-02/msg00052.html on line 193
|