Thanks all, It seems with openvpn you have more freedom and you are much more in control yourself, compared to server/clients-certs on web-servers/clients. The amount of freedom is a relief, (as long as you are aware of it ;-)
Tnx, Hans -----Original Message----- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: donderdag 6 november 2014 12:16 To: Witvliet, J, DMO/OPS/I&S/HIN Cc: openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] CN-surprise Hi, On Thu, Nov 06, 2014 at 11:13:31AM +0100, j.witvl...@mindef.nl wrote: > Where & when is the relationship between the URL of the vpn-server tested? > During server-startup? Nowhere. We don't care about the DNS name pointing to the VPN server. Thing is, we hold a CA certificate that will tell us whether the certificate is valid. If you want to be sure that you're talking to the *right* server (the CA might have issued multiple server certificates, and one of them got stolen, or such) you can use --verify-x509-name <cn in server cert> to double-check that. > Is this proper behavior? Yes. DNS is irrelevant, you might be connecting to an IP address :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ______________________________________________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
