git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@894 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2006/02/17 03:17:32... | ... |
@@ -1769,7 +1769,7 @@ do_option_warnings (struct context *c) |
1769 | 1769 |
&& !o->tls_verify |
1770 | 1770 |
&& !o->tls_remote |
1771 | 1771 |
&& !(o->ns_cert_type & NS_SSL_SERVER) |
1772 |
- && (o->remote_cert_eku == NULL || !o->remote_cert_eku[0])) |
|
1772 |
+ && !o->remote_cert_eku) |
|
1773 | 1773 |
msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); |
1774 | 1774 |
#endif |
1775 | 1775 |
#endif |
... | ... |
@@ -4114,7 +4114,7 @@ Require that peer certificate was signed with an explicit |
4114 | 4114 |
.B key usage |
4115 | 4115 |
and |
4116 | 4116 |
.B extended key usage |
4117 |
-based on TLS rules. |
|
4117 |
+based on RFC3280 TLS rules. |
|
4118 | 4118 |
|
4119 | 4119 |
This is a useful security option for clients, to ensure that |
4120 | 4120 |
the host they connect to is a designated server. |
... | ... |
@@ -4125,11 +4125,15 @@ option is equivalent to |
4125 | 4125 |
.B |
4126 | 4126 |
--remote-cert-ku 80 08 88 --remote-cert-eku "TLS Web Client Authentication" |
4127 | 4127 |
|
4128 |
+The key usage is digitalSignature and/or keyAgreement. |
|
4129 |
+ |
|
4128 | 4130 |
The |
4129 | 4131 |
.B --remote-cert-tls server |
4130 | 4132 |
option is equivalent to |
4131 | 4133 |
.B |
4134 |
+--remote-cert-ku a0 88 --remote-cert-eku "TLS Web Server Authentication" |
|
4135 |
+ |
|
4136 |
+The key usage is digitalSignature and ( keyEncipherment or keyAgreement ). |
|
4132 | 4137 |
|
4133 | 4138 |
This is an important security precaution to protect against |
4134 | 4139 |
a man-in-the-middle attack where an authorized client |
... | ... |
@@ -484,8 +484,8 @@ static const char usage_message[] = |
484 | 484 |
" explicit extended key usage. Extended key usage can be encoded\n" |
485 | 485 |
" as an object identifier or OpenSSL string representation.\n" |
486 | 486 |
"--remote-cert-tls t: Require that peer certificate was signed with explicit\n" |
487 |
- " key usage and extended key usage based on TLS rules.\n" |
|
488 |
- " t = 'client | 'server'.\n" |
|
487 |
+ " key usage and extended key usage based on RFC3280 TLS rules.\n" |
|
488 |
+ " t = 'client' | 'server'.\n" |
|
489 | 489 |
#endif /* OPENSSL_VERSION_NUMBER */ |
490 | 490 |
#endif /* USE_SSL */ |
491 | 491 |
#ifdef ENABLE_PKCS11 |
... | ... |
@@ -4951,7 +4951,7 @@ add_option (struct options *options, |
4951 | 4951 |
if (streq (p[1], "server")) |
4952 | 4952 |
{ |
4953 | 4953 |
options->remote_cert_ku[0] = 0xa0; |
4954 |
- options->remote_cert_ku[1] = 0x08; |
|
4954 |
+ options->remote_cert_ku[1] = 0x88; |
|
4955 | 4955 |
options->remote_cert_eku = "TLS Web Server Authentication"; |
4956 | 4956 |
} |
4957 | 4957 |
else if (streq (p[1], "client")) |