Hi, On Thu, Oct 17, 2013 at 11:39:08AM -0500, Les Mikesell wrote: > On Wed, Oct 16, 2013 at 8:00 PM, Jason Haar <jason_h...@trimble.com> wrote: > > On 17/10/13 10:32, Les Mikesell wrote: > >> Yes, but if someone can MTM the https ssl, why couldn't they do the > >> same for openvpn's ssl? > > > > Because the IT group responsible for pushing out VPN client onto laptops > > wouldn't allow the entire validation component of SSL to be subverted. > > I thought a true man-in-the-middle attack could intercept the > certificates in both directions and thus be invisible at the > endpoints. Is that not possible?
The whole point of public/private key crypto is to make that impossible.
You can intercept the certificates, but the cert itself is not "all there
is" - it basically just ties the public/private key of the server to it's
identity ("yes, this key belongs to www.google.com"). So if you have the
cert but not the private key, it's just "public data".
What you can do is intercept the TCP session, and present *your own*
certificate to the client - which will trigger a SSL warning ("this
certificate is not signed by a known authority" or whatever). Typical
web browsers will then popup a window, and typical user will click on
"leave me alone, go ahead!" and not read the error message...
OpenVPN has no such override - if the server can not prove possession
of the private key that belongs to the certificate, it will not talk
to it.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpNDDJbK7Exe.pgp
Description: PGP signature
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
