Hey Oliver,
Thanks for adding it. I would not use it, now, since Martin is right
regarding the outdated documentation (Till OpenVPN 2.0 the nsCertType was
the preferred way. Since 2.1 the extendedKeyUsage is preferred). Actually I
already expected an answer like this but was not 100% sure about that.
Nevertheless, to set nsCertType to server should be possible with OpenXPKI
just in case somebody still needs it.
So, I would say it is still a good idea to add it, altough the extension is
outdated.
Thomas
2014-05-18 15:22 GMT+02:00 Oliver Welter <[email protected]>:
> Hi Thomas,
>
> after looking at the code I can confirm that we just did not implement
> nyCertType=server. As Martin already answered this extension is a bit
> outdated and should not be used, but if you really need it, I compiled a
> patch to add support for it:
>
>
> https://github.com/openxpki/openxpki/commit/6000eff331ab7086b3822ba9f599f7d38a9bed10
>
> Oliver
>
> Am 18.05.2014 14:39, schrieb Thomas Stähle:
> > Hi all,
> >
> > is it possible to set the value server for the extension nsCertType?
> >
> > For OpenVPN server certificates it is recommended to set nsCertType =
> > server to avoid misuse e.g. MITM attacks.
> >
> > In the profile sample file and in the code in
> > /OpenXPKI/Crypto/Backend/OpenSSL/Config.pm it seems not to be possible
> > to set it as server but I am able to set every other value for
> > nsCertType like client, email, sslCA but not server.
> >
> > Is there any reason for this?
> >
> > References:
> > * https://www.openssl.org/docs/apps/x509v3_config.html
> > *
> http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html
> >
> > regards,
> > Thomas
> >
> >
> >
> ------------------------------------------------------------------------------
> > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> > Instantly run your Selenium tests across 300+ browser/OS combos.
> > Get unparalleled scalability from the best Selenium testing platform
> available
> > Simple to use. Nothing to install. Get started now for free."
> > http://p.sf.net/sfu/SauceLabs
> >
> >
> >
> > _______________________________________________
> > OpenXPKI-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/openxpki-users
> >
>
>
> --
> Protect your environment - close windows and adopt a penguin!
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
