Am 10.04.20 um 19:50 schrieb Gert Doering:
Since you usually do not hand out multiple server certs, it's much
less important to ensure that a connecting client really has a *client*
cert, and not a "server cert he got from somewhere".
Hello Gert
Thank you very much for your answer. Is the following conclusion based on this correct when a client connects to a server via
the Internet?
With 'remote-cert-tls server' in Client.conf the client instance checks that the server side is really the server cert. And with
'remote-cert-tls client' in Server.conf the server instance checks that it is a proper client cert on the client side. Both are
additional checks that are intended to prevent or make it more difficult for a wrong client to pretend to be the right client
and a wrong server to pretend to be the right server.
Against this background, mutual checks with the respective statement on both machines (client and server) would make sense.
Would you agree with this conclusion?
Sorry if I often have to ask again, but it is often very difficult for me to interpret online translated text correctly.
Sometimes there are more questions afterwards than before and I don't know if it was just the translation that misled me.
Best Regards
Tom
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
