[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Possible Man-in-middle attack by trusted user (?)


  • Subject: Re: [Openvpn-users] Possible Man-in-middle attack by trusted user (?)
  • From: Jason Haar <Jason.Haar@xxxxxxxxxxxxx>
  • Date: Fri, 26 Nov 2004 10:37:17 +1300

James Yonan wrote:

I agree that offering an option to check nsCertType is a good idea, I will add this to the list.



FYI - I wouldn't rely totally on nsCertType as that is Netscape-specific (although commonly set as they invented SSL!). I'm assuming here that most people would use the self-signed certs or a openssl-generated CA - so that choice would be fine - as you just tell users what to do. But some users might already have an existing PKI infrastructure and want to use certs signed by that. So yes - set nsCertType accordingly - but I'd suggest you also use the extendedKeyUsage field to set "serverAuth" and "clientAuth" appropriately.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users