aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--init.c2
-rw-r--r--openvpn.88
-rw-r--r--options.c6
3 files changed, 10 insertions, 6 deletions
diff --git a/init.c b/init.c
index c5b3a84..ab6a6c5 100644
--- a/init.c
+++ b/init.c
@@ -1769,7 +1769,7 @@ do_option_warnings (struct context *c)
&& !o->tls_verify
&& !o->tls_remote
&& !(o->ns_cert_type & NS_SSL_SERVER)
- && (o->remote_cert_eku == NULL || !o->remote_cert_eku[0]))
+ && !o->remote_cert_eku)
msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
#endif
#endif
diff --git a/openvpn.8 b/openvpn.8
index 8f29469..74f422a 100644
--- a/openvpn.8
+++ b/openvpn.8
@@ -4114,7 +4114,7 @@ Require that peer certificate was signed with an explicit
.B key usage
and
.B extended key usage
-based on TLS rules.
+based on RFC3280 TLS rules.
This is a useful security option for clients, to ensure that
the host they connect to is a designated server.
@@ -4125,11 +4125,15 @@ option is equivalent to
.B
--remote-cert-ku 80 08 88 --remote-cert-eku "TLS Web Client Authentication"
+The key usage is digitalSignature and/or keyAgreement.
+
The
.B --remote-cert-tls server
option is equivalent to
.B
---remote-cert-ku a0 08 --remote-cert-eku "TLS Web Server Authentication"
+--remote-cert-ku a0 88 --remote-cert-eku "TLS Web Server Authentication"
+
+The key usage is digitalSignature and ( keyEncipherment or keyAgreement ).
This is an important security precaution to protect against
a man-in-the-middle attack where an authorized client
diff --git a/options.c b/options.c
index d882434..a6b5ba5 100644
--- a/options.c
+++ b/options.c
@@ -484,8 +484,8 @@ static const char usage_message[] =
" explicit extended key usage. Extended key usage can be encoded\n"
" as an object identifier or OpenSSL string representation.\n"
"--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
- " key usage and extended key usage based on TLS rules.\n"
- " t = 'client | 'server'.\n"
+ " key usage and extended key usage based on RFC3280 TLS rules.\n"
+ " t = 'client' | 'server'.\n"
#endif /* OPENSSL_VERSION_NUMBER */
#endif /* USE_SSL */
#ifdef ENABLE_PKCS11
@@ -4951,7 +4951,7 @@ add_option (struct options *options,
if (streq (p[1], "server"))
{
options->remote_cert_ku[0] = 0xa0;
- options->remote_cert_ku[1] = 0x08;
+ options->remote_cert_ku[1] = 0x88;
options->remote_cert_eku = "TLS Web Server Authentication";
}
else if (streq (p[1], "client"))