diff options
Diffstat (limited to '')
-rw-r--r-- | init.c | 2 | ||||
-rw-r--r-- | openvpn.8 | 8 | ||||
-rw-r--r-- | options.c | 6 |
3 files changed, 10 insertions, 6 deletions
@@ -1769,7 +1769,7 @@ do_option_warnings (struct context *c) && !o->tls_verify && !o->tls_remote && !(o->ns_cert_type & NS_SSL_SERVER) - && (o->remote_cert_eku == NULL || !o->remote_cert_eku[0])) + && !o->remote_cert_eku) msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); #endif #endif @@ -4114,7 +4114,7 @@ Require that peer certificate was signed with an explicit .B key usage and .B extended key usage -based on TLS rules. +based on RFC3280 TLS rules. This is a useful security option for clients, to ensure that the host they connect to is a designated server. @@ -4125,11 +4125,15 @@ option is equivalent to .B --remote-cert-ku 80 08 88 --remote-cert-eku "TLS Web Client Authentication" +The key usage is digitalSignature and/or keyAgreement. + The .B --remote-cert-tls server option is equivalent to .B ---remote-cert-ku a0 08 --remote-cert-eku "TLS Web Server Authentication" +--remote-cert-ku a0 88 --remote-cert-eku "TLS Web Server Authentication" + +The key usage is digitalSignature and ( keyEncipherment or keyAgreement ). This is an important security precaution to protect against a man-in-the-middle attack where an authorized client @@ -484,8 +484,8 @@ static const char usage_message[] = " explicit extended key usage. Extended key usage can be encoded\n" " as an object identifier or OpenSSL string representation.\n" "--remote-cert-tls t: Require that peer certificate was signed with explicit\n" - " key usage and extended key usage based on TLS rules.\n" - " t = 'client | 'server'.\n" + " key usage and extended key usage based on RFC3280 TLS rules.\n" + " t = 'client' | 'server'.\n" #endif /* OPENSSL_VERSION_NUMBER */ #endif /* USE_SSL */ #ifdef ENABLE_PKCS11 @@ -4951,7 +4951,7 @@ add_option (struct options *options, if (streq (p[1], "server")) { options->remote_cert_ku[0] = 0xa0; - options->remote_cert_ku[1] = 0x08; + options->remote_cert_ku[1] = 0x88; options->remote_cert_eku = "TLS Web Server Authentication"; } else if (streq (p[1], "client")) |