[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] I don't get it: why use a certificate?

  • Subject: Re: [Openvpn-users] I don't get it: why use a certificate?
  • From: Todd and Margo Chester <ToddAndMargo@xxxxxxxxxxx>
  • Date: Sun, 24 Jun 2007 21:02:17 -0700

> I'm no expert, but it seems to me that the certificate you get from the
> other end when you establish a link can be verified as coming from the
> CA for which you have a CA certificate, thus preventing Man In The
> Middle attacks: the key the Man In The Middle sends you won't be
> verified by the same CA.

Hi Mark,

   I don't understand.  The key method uses the same 2048 bit
key at both ends.  Is it even possible to do a Man-in-the-middle

>> For instance, if a laptop gets stolen,
>> don't the bad guys have everything they
>> need to use the tunnel regardless if
>> you are using a certificate or a key?
> I agree - No help at all in this scenario. You need to use the
> auth-user-pass facility to get a username/password from the _user_ to
> verify that the user is legit once the _machine_ has been authenticated
> using the certificates.

I have another post out there trying to figure out what
"auth-user-pass" is.

The key method does not use a password.  Can the certificate
method be configured to prompt for a password?  This would
seems to go a long way to protect the server from an
undiscovered compromised remote unit.
OpenVPN mailing lists