[Openvpn-users] Re: --remote-cert-tls client|server

[Jon B. <jon...@la...>]

Den 23. nov 2005 kl. 1:31 skrev Jon Bendtsen:

> Hi
>
> I can not get 		--remote-cert-tls client|server	 to work as i  
> expect from
> the man page. I run the 2.1 series

I tried using
	remote-cert-eku TLS Web Server Authentication
and on the client with the same certificate as below.


> the server.crt says:
>         X509v3 extensions:
>             X509v3 Basic Constraints: critical
>                 CA:FALSE
>             X509v3 Key Usage: critical
>                 Digital Signature, Key Encipherment, Data Encipherment
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, IPSec End System,  
> IPSec Tunnel
>
>
> Wed Nov 23 13:56:38 2005 us=767218 ++ Certificate has key usage   
> 00b0, expects 00a0
> Wed Nov 23 13:56:38 2005 us=767257 ++ Certificate has key usage   
> 00b0, expects 0008

Thu Nov 24 02:56:23 2005 us=472278 ++ Certificate has EKU (str) TLS  
Web Server Authentication, expects TLS
Thu Nov 24 02:56:23 2005 us=472300 ++ Certificate has EKU (oid)  
1.3.6.1.5.5.7.3.1, expects TLS
Thu Nov 24 02:56:23 2005 us=472314 ++ Certificate has EKU (str) IPSec  
End System, expects TLS
Thu Nov 24 02:56:23 2005 us=472329 ++ Certificate has EKU (oid)  
1.3.6.1.5.5.7.3.5, expects TLS
Thu Nov 24 02:56:23 2005 us=472342 ++ Certificate has EKU (str) IPSec  
Tunnel, expects TLS
Thu Nov 24 02:56:23 2005 us=472358 ++ Certificate has EKU (oid)  
1.3.6.1.5.5.7.3.6, expects TLS
Thu Nov 24 02:56:23 2005 us=472371 VERIFY EKU ERROR


The server says
Wed Nov 23 14:28:35 2005 us=854091 192.168.119.161:32785 ++  
Certificate has EKU (str) TLS Web Client Authentication, expects TLS
Wed Nov 23 14:28:35 2005 us=854505 192.168.119.161:32785 ++  
Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS
Wed Nov 23 14:28:35 2005 us=854915 192.168.119.161:32785 ++  
Certificate has EKU (str) IPSec User, expects TLS
Wed Nov 23 14:28:35 2005 us=855319 192.168.119.161:32785 ++  
Certificate has EKU (oid) 1.3.6.1.5.5.7.3.7, expects TLS


openssl x509 -text -in client.crt
        X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Key Usage: critical
                 Digital Signature, Key Encipherment, Data Encipherment
             X509v3 Extended Key Usage:
                 TLS Web Client Authentication, IPSec User




JonB