[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

The man-in-the-middle man page


  • Subject: The man-in-the-middle man page
  • From: Ed Ravin <eravin@xxxxxxxxx>
  • Date: Thu, 9 Dec 2004 19:38:45 -0500

On Wed, Dec 08, 2004 at 07:11:38PM -0700, James Yonan wrote:

> Okay, I've added this to the HOWTO:
> 
> To avoid a possible Man-in-the-Middle attack where an authorized
> client tries to connect to another client by impersonating the
> server, make sure to enforce some kind of server certificate
> verification by clients.  There are currently four different ways
> of accomplishing this, listed in the order of preference:
...
> (2) Use the --tls-remote directive on the client to
>     accept/reject the server connection based on the common
>     name of the server certificate.

Turning on tls-remote failed for me with an OpenVPN 2.0beta_11 client:

   openvpn[4281]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

When I upgraded the client to 2.0_rc1, it worked as expected.  The
server started out as beta11 and I upgraded it to rc1, but that
didn't change this behavior.

Just mentioning this in case anyone else gets hit by it.