|
|
Hello, Every certificate you sign will have "purpose" options embedded in it. There are a variety of options, but for this discussion lets say there is "client" and "server". Because you control the certificate authority, you control which certificates have a "server" purpose. Your clients can be configured to only connect to servers with a "server" certificate. This helps against MITM attacks because there are a limited number of these certificates, and one presumes their keys are heavily protected. To see a certificate's purpose: openssl x509 -in certificatefile.crt -noout -purpose The man page suggests that two similarly named servers can be defined with the "--tls-remote" option. Maybe it doesn't easily allow two dis-similarly named servers? I don't know as all of my OpenVPN networks only have one server. As I read the man page, it doesn't seem to say one option is better than the other. In my opinion, the "--ns-cert-type" and "--tls-remote" complement one another. I say use them together for defense-in-depth. Ken > > In the online docs, it mentions that a man in the middle attack can > best be prevented by using the --ns-cert-type <client|server> > option, while using the --tls-remote <server common name> ranks > second. Why is --ns-cert-type more effective in this context? > > Regards, > Michael > ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |