Comment 24 for bug 364101

> Isn't there any way to add an option to NM OVPN? I need 'ns-cert-type server' to be able to connect to my workplace.

> Comment #8 also indicates a security vulnerability, doesn't it?

Yes, lack of ns-cert-type server support is indeed a security vulnerability. It affects sites that use a single CA to sign both client and server certificates. The risk is that anyone's client certificate can be used to impersonate the server; for example, to execute a man-in-the-middle attack.

One workaround would be to use the newer "--remote-cert-tls server" option instead, but that requires an X.509v3 extension in the server certificate, which some sites do not have.

Another workaround would be to use the "--verify-x509-name" option, but network-manager-openvpn does not support it.

Another workaround would be to use the "--tls-remote" option, but that one is deprecated, and network-manager-openvpn's support for it breaks if there is a space in the server certificate's Common Name field.

https://openvpn.net/index.php/open-source/documentation/howto.html#mitm

In short, NetworkManager's OpenVPN support is not merely weak; it is severely broken. This particular break (which is not the only one) puts users at risk by silently discarding important security precautions that are configured in the .ovpn files it "imports".