Hi Martin,
acutally you are right regarding the outdated documentation.
Thanks for pointing that out.
Thomas
2014-05-18 14:59 GMT+02:00 Martin Bartosch <[email protected]>:
> Hi,
>
> > For OpenVPN server certificates it is recommended to set nsCertType =
> server to avoid misuse e.g. MITM attacks.
> >
> > In the profile sample file and in the code in
> /OpenXPKI/Crypto/Backend/OpenSSL/Config.pm it seems not to be possible to
> set it as server but I am able to set every other value for nsCertType like
> client, email, sslCA but not server.
> >
> > Is there any reason for this?
> >
> > References:
> > * https://www.openssl.org/docs/apps/x509v3_config.html
> > *
> http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html
>
> I recommend against that, this is a proprietary extension that nowadays
> should be considered obsolete. The referenced documentation is
> incorrect/outdated, any RFC 5246 compliant TLS implementation will not use
> this extension at all (in fact I know this is the case for OpenVPN, as I am
> using it myself...).
>
> In order to avoid the MITM scenario mentioned in the docs you referenced
> use the setting
> --remote-cert-tls client|server
> instead.
>
>
> For a pure OpenVPN server use a profile that has the following properties:
>
> Key Usage:
> digitalSignature (for DHE key agreement)
> keyEncipherment (for RSA key agreement w/o PFS)
>
> Extended Key Usage:
> serverAuth
>
> For a pure VPN client choose:
>
> Key Usage:
> digitalSignature (for DHE key agreement)
>
> Extended Key Usage:
> clientAuth
>
>
> For a VPN server that acts in both roles use a profile that has the union
> of those flags set.
>
> Regards,
>
> Martin
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
