|
|
Hello, According to the openvpn's man, there're only 2 possible values for --ns-cert-type : client or server. This can be found by executing command: openssl x509 -in certificatefile.crt -noout -purpose For a client certificate, you should get the line: SSL client : Yes For a server certificate, you should get the line: SSL server: Yes Note that you can get both line, or none :) Providing the --ns-cert-type server to a client openvpn instance provide the ability to be sure to connect to a "real" server and not to a client which has been reconfigured. The same way for --ns-cert-type client passed to a server openvpn instance. For the other option, --tls-remote, this take a x509 CN as argument. So you can verify that you connect to the right server. Providing both option is the best: you can check that you're connecting to the right server according to his CN, and remember you verify the certificate with CA, but you can also check that his purpose is to act as server, or client or both (that can happen). This allow you to refuse connection to a server if his ns-cert-type gives client but you wait server. Hope this help, regards Jean Baptiste Favre Denis Jedig a écrit : > On Tue, 6 Mar 2007 12:25:03 +0100 Michael wrote: > >> If they indeed already have that, then I don't see the logic behind >> statements like 'ns-cert-type and/or tls-remote can protect against >> an MITM attack'. > > I believe the idea is to enable the VPN administrator to create more than > one OpenVPN server (e.g. in a failover setup) with dissimilar names. > tls-remote will only accept a single label and will use it as a substring > match against the CN provided in the certificate. > ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |