> On Thu, 22 Mar 2007 23:24:13 +0300, Göran Nilsson
> <goran.nilsson@xxxxxxxxx> wrote:
>> Any ideas, thoughts on how to make sure that a "site installation" with
>> generated certificates for server and clients are the only one allowed
>> to connect to each other.
> I once asked here if it is possible or planned to introduce a multilevel
> CA where one root CA would issue certs for a number of an intermediate CAs
> (unique per OpenVPN server).
> I'm currently suffering from exactly the same problem - my OpenVPN certs
> are signed by the same rootCA as my WiFi EAP-TLS ones - and my WiFi
> clients are able to authenticate to my OpenVPN.
> I want to avoid that...
I believe you have 3 options here:
1) use the tls-verify option to check some field of the certificate, and
deny/allow connection based on some field of the cert (note that in some
kind of mitm attacks, and others, ssl fields can be faked). This method
is secure to ceretain extent.
2) Authenticate your users, with separate databases, of course. Each
user, of each server musta be authenticated against a separated database.
3) Use both options 1 and 2, to achieve the best security.
If you want (almost) transparency, use option 1(i say almost, because
you will have to use the tls-verify in both ends, and having to change
the clients conf files, and send the program that will be used to verify
If you don't care about transparency, but also, don't want to create a
program, or trust any existent, use option 2.
I recommend option 3, for sure.
My 2 cents,
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Ubuntu 6.10 Edgy Eft
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Description: OpenPGP digital signature
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
Openvpn-users mailing list