From: Jon B. <jon...@la...> - 2005-11-23 00:26:18
|
Hi again (previous question included below) I think OpenVPN implemented what i requested already, but i dont know http://openvpn.net/man-beta.html "--remote-cert-ku v... Require that peer certificate was signed with an explicit key usage. This is a useful security option for clients, to ensure that the host they connect to is a designated server. The key usage should be encoded in hex, more than one key usage can be specified. --remote-cert-eku oid Require that peer certificate was signed with an explicit extended key usage. This is a useful security option for clients, to ensure that the host they connect to is a designated server. The extended key usage should be encoded in oid notation, or OpenSSL symbolic representation. --remote-cert-tls client|server Require that peer certificate was signed with an explicit key usage and extended key usage based on TLS rules. This is a useful security option for clients, to ensure that the host they connect to is a designated server. The --remote-cert-tls client option is equivalent to --remote- cert-ku 80 08 88 --remote-cert-eku TLS Web Client Authentication The --remote-cert-tls server option is equivalent to --remote- cert-ku a0 08 --remote-cert-eku TLS Web Server Authentication This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --remote-cert-tls, --tls-remote, or --tls-verify. " i use the remote-crt-tls client on the server and remote-crt-tls server on the client. openssl x509 -text -in client.crt X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, IPSec User The server log says Wed Nov 23 01:25:23 2005 us=374894 192.168.119.161:32778 ++ Certificate has key usage 00b0, expects 0080 Wed Nov 23 01:25:23 2005 us=375206 192.168.119.161:32778 ++ Certificate has key usage 00b0, expects 0008 Wed Nov 23 01:25:23 2005 us=375532 192.168.119.161:32778 ++ Certificate has key usage 00b0, expects 0088 the server.crt says: X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, IPSec End System, IPSec Tunnel Wed Nov 23 13:56:38 2005 us=767218 ++ Certificate has key usage 00b0, expects 00a0 Wed Nov 23 13:56:38 2005 us=767257 ++ Certificate has key usage 00b0, expects 0008 JonB Den 3. nov 2005 kl. 9:40 skrev Tomas Gustavsson: > > You can read about 'Server Auth' and 'Extended Key Usage' in > RFC3280 (http://www.ietf.org/rfc/rfc3280.txt?number=3280). You'll > have to google for the old nsCertType. > > /Tomas > > > Jon Bendtsen wrote: >> Den 3. nov 2005 kl. 9:05 skrev Tomas Gustavsson: >>> >>> In you openvpn server configuration file, comment out the line: >>> ns-cert-type server >>> >>> i.e. >>> ;ns-cert-type server >>> >>> nsCertType is a very old and deprecated extention, so we don't >>> plan to introduce it. No-one uses it anymore :-) >> openvpn uses it, and openvpn is not that old. I think they just >> introduced this option, so clearly it is used. >> But what does that field called "Server Auth" do? i thought >> that it set the ns-crt-type to server. >> Is there anywhere i can read more about these fields? >> JonB >> ------------------------------------------------------- >> SF.Net email is sponsored by: >> Tame your development challenges with Apache's Geronimo App >> Server. Download >> it for free - -and be entered to win a 42" plasma tv or your very own >> Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache's Geronimo App Server. > Download > it for free - -and be entered to win a 42" plasma tv or your very own > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |