Hi Hans,

j.witvl...@mindef.nl wrote:
>
> Hi all,
>
> Where & when is the relationship between the URL of the vpn-server 
> tested? During server-startup?
>
> As in all the how2’s wiki’s and man’s, I have a (test) vpn-server and 
> its URL is in the CN-field of the server-certificate and I use that 
> name on client machines.
>
> Of course such a schoolbook example works.
>
> For some tests I added the IP addresses to a domain I privately hold 
> and put those URL’s on a client.
>
> Much to my surprise, the connection was setup without any problem!
>
> Is this proper behavior?
>
if I read you correctly you are asking when the relationship between the 
certificate's CN=..... and the actual hostname of the server is checked.
The short answer: it isn't. you can create a server cert with names like 
/CN=blah and as long as your clients trust the CA that signed this 
server cert then the connection is allowed. This is 'default' openssl 
behaviour, as no name resolution (and reverse name resolution) checks 
are in the SSL libraries.

You can add your own DNS check using a 'tls-verify' script on the client 
side, but remember to do both forward and reverse name resolution to 
avoid DNS spoofs.

HTH,

JJK


------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to