Hi, On Thu, Apr 02, 2020 at 04:18:07PM +0200, Thomas Luening wrote: > When I remove 'remote-cert-tls server' in Client.conf, I get the following > warning: "WARNING: No server certificate verification > method has been enabled. See http://openvpn.net/howto.html#mitm for more > info." > > If it's set, everything's fine.
This is basically just an extra safety-net - if you do not have this,
someone having a valid *client* cert from your CA could claim to be
an OpenVPN server, and your client would trust it ("it's a CA signed
cert!"). So the server cert gets an extra flag "server cert!" and
this makes the client check it.
Since you usually do not hand out multiple server certs, it's much
less important to ensure that a connecting client really has a *client*
cert, and not a "server cert he got from somewhere".
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
