[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] prevent man in middle attack


  • Subject: [Openvpn-users] prevent man in middle attack
  • From: cldpeak <heuermannr@xxxxxxxxxxxxx>
  • Date: Wed, 19 Jan 2005 16:36:29 +0000 (UTC)

Here's my current openssl.cnf file borrowed from another article that works 
for my openvpn install.  I want to prevent the man in middle and add the ns-
cert-type=server in my openssl.cnf.  I'm not using the easy-rsa since I'm 
running openbsd.  What else should I add to increase security?

# openssl.cnf

[ ca ]
default_ca      = CA_default      # The default ca section

[ CA_default ]

dir             = /home/admin/CA-DB  # Top
crl_dir         = $dir/crl        # The crl location
database        = $dir/index.txt  # Database index file
new_certs_dir   = $dir/newcerts   # Location for new certs
certificate     = $dir/cacert.pem # The CA certificate
serial          = $dir/serial     # The next serial number
crl             = $dir/crl.pem    # The current CRL
unique_subject  = yes
private_key     = $dir/private/cakey.pem 
RANDFILE        = $dir/private/.rand    
default_days    = 365
default_crl_days= 30    
default_md      = md5
x509_extensions = user_extensions
 
policy          = policy_any

[ policy_any ]

organizationName        = match
organizationalUnitName  = optional
commonName              = supplied

[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name

# The makeup of our subject name
[ req_distinguished_name ]
organizationName                = Organization Name (eg, company)
organizationName_default        = Inyo Technical Services
organizationalUnitName          = Organizational Unit (eg, west)
commonName                      = Common Name (eg, YOUR name)
commonName_max                  = 64
x509_extensions = CA_extensions

[ user_extensions ]
# CA:FALSE will not permit this certificate to sign other
# certificates.
basicConstraints        = CA:FALSE

[ CA_extensions ]
# CA:TRUE will allow this certificate to sign others.
basicConstraints        = CA:TRUE



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users