[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Re: First OpenVPN 2.0 Release Candidate is available


  • Subject: [Openvpn-users] Re: First OpenVPN 2.0 Release Candidate is available
  • From: ntyni+gmane@xxxxxxxxxxxxxxxxx (Niko Tyni)
  • Date: Wed, 8 Dec 2004 16:24:20 +0000 (UTC)

In article <Pine.LNX.4.58.0412080430390.1206@xxxxxxxxx>, James Yonan wrote:
 
> OpenVPN allows a lot of flexibility in terms of configuration, and some
> users may purposely choose a configuration with less security than normal
> simply because it makes sense for their application.  Normally, this kind
> of usage gets a warning, and I think that running a TLS client without one
> of tls-remote, tls-verify, or the new ns-cert-type directives should also
> trigger a warning.  On the other hand, making it a fatal error would 
> certainly get people's attention.  I'd want more feedback before taking 
> that route, as it generally goes against the approach we've used so far of 
> issuing warnings but otherwise assuming that people know what they're 
> doing.

Maybe I'm missing something, but isn't it secure to run without any of
tls-remote, tls-verify or ns-cert-type if you are signing the client
certificates with a different CA than the server certificate(s)? 
This way a malicious client can't impersonate a server to other clients,
eliminating the possibility of the MITM attack. 

This seems to work OK in our test setup, and I don't see any reason to
make it a fatal error.

(Posting through the gmane.org NNTP server, hope this is going to work.)
-- 
niko


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users