The UNIX Forums
 "Join the Network of UNIX System Users"

UNIX Forums » UNIX for Advanced & Expert Users » openvpn 2.09 ns-cert-type ???

 
Printable Version | Email to Friend | Subscription | Favorites
Subject: openvpn 2.09 ns-cert-type ???
krawner
Newbie
Rank: 1



UID 229
Digest Posts 0
Credits 0
Posts 27
Reading Access 10
Registered Apr 25, 2007
Status Offline
#1
Post at Jun 20, 2007 10:23 AM  Profile | P.M. 
openvpn 2.09 ns-cert-type ???



openvpn 2.09 ns-cert-type ???



--ns-cert-type client|server
require that peer certificate was signed with an explicit nscerttype designation of "client" or "server".

this is a useful security option for clients, to ensure that the host they connect with is a designated server.

see the easy-rsa/build-key-server script for an example of how to generate a certificate with the nscerttype field set to "server".


if the server certificate's nscerttype field is set to "server", then the clients can verify this with --ns-cert-type server.

this is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. the attack is easily prevented by having clients verify the server certificate using any one of --ns-cert-type, --tls-remote, or --tls-verify.

question
i know what this is used for:
--ns-cert-type server

but what is this used for? and how does it work?
--ns-cert-type client


Top
 

 

All times are GMT, the time now is Mar 12, 2010 07:44 AM

Powered by Discuz! 5.0.0  © 2001-2006 UNIX Forums
Processed in 0.200576 second(s), 8 queries
TOP

Clear Cookies - Contact Us - UNIX Help - Archiver - WAP