Browse code
svn merge -r 888:889 https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21 21
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@894 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2006/02/17 03:17:32Showing 3 changed files
| ... | ... |
@@ -1769,7 +1769,7 @@ do_option_warnings (struct context *c) |
| 1769 | 1769 |
&& !o->tls_verify |
| 1770 | 1770 |
&& !o->tls_remote |
| 1771 | 1771 |
&& !(o->ns_cert_type & NS_SSL_SERVER) |
| 1772 |
- && (o->remote_cert_eku == NULL || !o->remote_cert_eku[0])) |
|
| 1772 |
+ && !o->remote_cert_eku) |
|
| 1773 | 1773 |
msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); |
| 1774 | 1774 |
#endif |
| 1775 | 1775 |
#endif |
| ... | ... |
@@ -4114,7 +4114,7 @@ Require that peer certificate was signed with an explicit |
| 4114 | 4114 |
.B key usage |
| 4115 | 4115 |
and |
| 4116 | 4116 |
.B extended key usage |
| 4117 |
-based on TLS rules. |
|
| 4117 |
+based on RFC3280 TLS rules. |
|
| 4118 | 4118 |
|
| 4119 | 4119 |
This is a useful security option for clients, to ensure that |
| 4120 | 4120 |
the host they connect to is a designated server. |
| ... | ... |
@@ -4125,11 +4125,15 @@ option is equivalent to |
| 4125 | 4125 |
.B |
| 4126 | 4126 |
--remote-cert-ku 80 08 88 --remote-cert-eku "TLS Web Client Authentication" |
| 4127 | 4127 |
|
| 4128 |
+The key usage is digitalSignature and/or keyAgreement. |
|
| 4129 |
+ |
|
| 4128 | 4130 |
The |
| 4129 | 4131 |
.B --remote-cert-tls server |
| 4130 | 4132 |
option is equivalent to |
| 4131 | 4133 |
.B |
| 4134 |
+--remote-cert-ku a0 88 --remote-cert-eku "TLS Web Server Authentication" |
|
| 4135 |
+ |
|
| 4136 |
+The key usage is digitalSignature and ( keyEncipherment or keyAgreement ). |
|
| 4132 | 4137 |
|
| 4133 | 4138 |
This is an important security precaution to protect against |
| 4134 | 4139 |
a man-in-the-middle attack where an authorized client |
| ... | ... |
@@ -484,8 +484,8 @@ static const char usage_message[] = |
| 484 | 484 |
" explicit extended key usage. Extended key usage can be encoded\n" |
| 485 | 485 |
" as an object identifier or OpenSSL string representation.\n" |
| 486 | 486 |
"--remote-cert-tls t: Require that peer certificate was signed with explicit\n" |
| 487 |
- " key usage and extended key usage based on TLS rules.\n" |
|
| 488 |
- " t = 'client | 'server'.\n" |
|
| 487 |
+ " key usage and extended key usage based on RFC3280 TLS rules.\n" |
|
| 488 |
+ " t = 'client' | 'server'.\n" |
|
| 489 | 489 |
#endif /* OPENSSL_VERSION_NUMBER */ |
| 490 | 490 |
#endif /* USE_SSL */ |
| 491 | 491 |
#ifdef ENABLE_PKCS11 |
| ... | ... |
@@ -4951,7 +4951,7 @@ add_option (struct options *options, |
| 4951 | 4951 |
if (streq (p[1], "server")) |
| 4952 | 4952 |
{
|
| 4953 | 4953 |
options->remote_cert_ku[0] = 0xa0; |
| 4954 |
- options->remote_cert_ku[1] = 0x08; |
|
| 4954 |
+ options->remote_cert_ku[1] = 0x88; |
|
| 4955 | 4955 |
options->remote_cert_eku = "TLS Web Server Authentication"; |
| 4956 | 4956 |
} |
| 4957 | 4957 |
else if (streq (p[1], "client")) |