Menu
▾
▴
Re: [Openvpn-users] WARN server cert veri not enabled - .conf fileincludesremote-cert-eku "TLS Web Server Authentication"
|
From: Jon B. <jon...@la...> - 2005-11-25 13:48:40
|
Den 25. nov 2005 kl. 14:35 skrev Alon Bar-Lev: > Jon Bendtsen wrote: >> Den 25. nov 2005 kl. 14:10 skrev Alon Bar-Lev: >>> Jon Bendtsen wrote: >>> >>>> Hi >>>> My openvpn 2.1 beta7 complains at startup >>>> Fri Nov 25 11:40:29 2005 WARNING: No server certificate >>>> verification method has been enabled. See http://openvpn.net/ >>>> howto.html#mitm for more info. >>>> But my client.conf does include >>>> remote-cert-eku "TLS Web Server Authentication" >>> >>> >>> Correct. >>> Will fix. >>> >>> But... Consider adding tls-remote option... Having an EKU only >>> filter is not secured. >> Why is it not secured? > > Since ANY server will satisfy your client. > You should use: > > remote-cert-ku b0 > remote-cert-eku "TLS Web Server Authentication" > tls-remote "/C=CC/O=OOO/CN=XXXX" > > Replace "/C=CC/O=OOO/CN=XXXX" with your server certificate subject > name. > > Then your client will connect to a server with specific name. Ahhh yes i see. However, since my CA is my own selfsigned i doubt that a client wil connect to any server. JonB |
