[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] First OpenVPN 2.0 Release Candidate is available

  • Subject: Re: [Openvpn-users] First OpenVPN 2.0 Release Candidate is available
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Wed, 8 Dec 2004 19:11:38 -0700 (MST)

On Wed, 8 Dec 2004, Richard Atterer wrote:

> On Tue, Dec 07, 2004 at 02:37:31PM -0700, James Yonan wrote:
> > I would encourage everyone to give it a workout in as many real-world
> > situations as possible.
> Hi, IMHO there is a problem in the way the recent man-in-the-middle 
> vulnerability (you could call it that!) was handled.
> AFAICT, neither the program nor the documentation currently prevent users
> from making the mistake of not specifying the "tls-verify" option to avoid
> this problem. Was the HOWTO updated at all about this?

Okay, I've added this to the HOWTO:

To avoid a possible Man-in-the-Middle attack where an authorized
client tries to connect to another client by impersonating the
server, make sure to enforce some kind of server certificate
verification by clients.  There are currently four different ways
of accomplishing this, listed in the order of preference:

(1) Build your server certificates with the build-key-server
    script.  This will designate the certificate as a
    server-only certificate by setting nsCertType=server.
    Now add the following line to your client configuration:
    ns-cert-type server

    This will block clients from connecting to any
    server which lacks the nsCertType=server designation
    in its certificate, even if the certificate has been
    signed by the CA which is cited in the OpenVPN configuration
    file (--ca directive).

(2) Use the --tls-remote directive on the client to
    accept/reject the server connection based on the common
    name of the server certificate.

(3) Use a --tls-verify script or plugin to accept/reject the
    server connection based on a custom test of the server
    certificate's embedded X509 subject details.

(4) Sign server certificates with one CA and client certificates
    with a different CA.  The client config "ca" directive should
    reference the server-signing CA while the server config "ca"
    directive should reference the client-signing CA.


Openvpn-users mailing list