KDE's network manager plasmoid does not tell OpenVPN to perform server certificate verification. Consequently, anyone with the preshared key is able to perform a MITM attack by impersonating the server. OpenVPN warns about this at start: Nov 17 22:40:56 t520 nm-openvpn[29005]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. This has been an issue for years. I initially only filed a bug against plasma-nm was filed under the incorrect assumption that the network manager plasmoid had been retired: https://bugs.kde.org/show_bug.cgi?id=341070 To my great delight (as I prefer the network manager plasmoid on my laptop), I have since realized that I had been wrong, so I am filing this bug.
Git commit 918786c28f7657ad8deff084ae44a257a7d471f6 by Lamarque V. Souza. Committed on 29/11/2014 at 10:50. Pushed by lvsouza into branch 'nm09'. OpenVPN: Add option for server certificate verification FIXED-IN: 0.9.0.12 M +1 -1 plasma_nm_version.h M +1 -0 vpnplugins/openvpn/nm-openvpn-service.h M +52 -15 vpnplugins/openvpn/openvpnprop.ui M +14 -0 vpnplugins/openvpn/openvpnwidget.cpp http://commits.kde.org/networkmanagement/918786c28f7657ad8deff084ae44a257a7d471f6
I cited the wrong bug above. The correct link is: https://bugs.kde.org/show_bug.cgi?id=341069 Thanks once again for the prompt fix.
What happened to the commit? Git shows the files unchanged. Please Reopen and fix.