Hi Hans, j.witvl...@mindef.nl wrote: > > Hi all, > > Where & when is the relationship between the URL of the vpn-server > tested? During server-startup? > > As in all the how2’s wiki’s and man’s, I have a (test) vpn-server and > its URL is in the CN-field of the server-certificate and I use that > name on client machines. > > Of course such a schoolbook example works. > > For some tests I added the IP addresses to a domain I privately hold > and put those URL’s on a client. > > Much to my surprise, the connection was setup without any problem! > > Is this proper behavior? > if I read you correctly you are asking when the relationship between the certificate's CN=..... and the actual hostname of the server is checked. The short answer: it isn't. you can create a server cert with names like /CN=blah and as long as your clients trust the CA that signed this server cert then the connection is allowed. This is 'default' openssl behaviour, as no name resolution (and reverse name resolution) checks are in the SSL libraries.
You can add your own DNS check using a 'tls-verify' script on the client side, but remember to do both forward and reverse name resolution to avoid DNS spoofs. HTH, JJK ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
