Hi, On Sun, Apr 12, 2020 at 11:50:41AM +0200, Thomas Luening wrote: > Am 10.04.20 um 19:50 schrieb Gert Doering: > > > Since you usually do not hand out multiple server certs, it's much > > less important to ensure that a connecting client really has a *client* > > cert, and not a "server cert he got from somewhere". > > Thank you very much for your answer. Is the following conclusion based on > this correct when a client connects to a server via > the Internet? > > With 'remote-cert-tls server' in Client.conf the client instance checks that > the server side is really the server cert. And with > 'remote-cert-tls client' in Server.conf the server instance checks that it is > a proper client cert on the client side. Both are > additional checks that are intended to prevent or make it more difficult for > a wrong client to pretend to be the right client > and a wrong server to pretend to be the right server. > > Against this background, mutual checks with the respective statement on both > machines (client and server) would make sense. > Would you agree with this conclusion?
Yes. Except that the numbers make "remote-cert-cls client" somewhat
less relevant - for that to make a difference, you would have to have
a client PC that manages to steal a server cert, and connect with that,
which is generally fairly unlikely (usually you only roll *one* server
cert, and if an attacker manages to break into the openvpn server or
the CA machine, attacks against openvpn are the least of your worries).
OTOH, client PCs get hacked all the time, so a client cert might fall
into the wrong hands - and you do not want those hands to be able to
pose as "I am your server!".
> Sorry if I often have to ask again, but it is often very difficult for me to
> interpret online translated text correctly.
> Sometimes there are more questions afterwards than before and I don't know if
> it was just the translation that misled me.
If it's too confusing, feel free to ask me (off-list) in german.
Not sure if on-line translation services do a good job on all these
very special words...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
