Hi, > For OpenVPN server certificates it is recommended to set nsCertType = server > to avoid misuse e.g. MITM attacks. > > In the profile sample file and in the code in > /OpenXPKI/Crypto/Backend/OpenSSL/Config.pm it seems not to be possible to set > it as server but I am able to set every other value for nsCertType like > client, email, sslCA but not server. > > Is there any reason for this? > > References: > * https://www.openssl.org/docs/apps/x509v3_config.html > * > http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html
I recommend against that, this is a proprietary extension that nowadays should be considered obsolete. The referenced documentation is incorrect/outdated, any RFC 5246 compliant TLS implementation will not use this extension at all (in fact I know this is the case for OpenVPN, as I am using it myself...). In order to avoid the MITM scenario mentioned in the docs you referenced use the setting --remote-cert-tls client|server instead. For a pure OpenVPN server use a profile that has the following properties: Key Usage: digitalSignature (for DHE key agreement) keyEncipherment (for RSA key agreement w/o PFS) Extended Key Usage: serverAuth For a pure VPN client choose: Key Usage: digitalSignature (for DHE key agreement) Extended Key Usage: clientAuth For a VPN server that acts in both roles use a profile that has the union of those flags set. Regards, Martin ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
