Hi there I'm wanting to do some smoke-n-mirrors with DNS to point clients at the best openvpn server, and I wanted to check what I am doing is supported (ie I won't get a surprise a year from now when this is discovered to be a "bug" and gets fixed ;-)
So am I correct in saying that if a client is configured to only use "verify-x509-name xxxx.yyyy name" to validate server, so as long as the server cert contains "xxxx.yyyy" as one of it's "Subject alternative names", the client is happy So... I could configure the client to connect to the servers IP address, or some entirely unrelated "aaaa.bbbb" DNS alias - and it would be happy, because the server cert contains "xxxx.yyyy" as one of it's name options? ie there's no need for the other DNS aliases to be part of the server cert? I bring this up because that wouldn't work in a web browser - so I want to check this is supposed to be how openvpn works (I guess we could call it a kind of "pinning") Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
