Re: [Openvpn-users] Note on cert-error (already solved, but one question)

Sun, 12 Apr 2020 03:36:28 -0700 

Hi Thomas,

if you keep your CA safe (especially the key), than the chance of someone
having a client cert signed by your CA is pretty minor. Same stands for the
client. But you can do additional checks on the client side to see if
someone is fakeing your server cert, like:

verify-x509-name
verify-hash

I did not check, but I think it might be possible to check the client cert
with management console auth, but I really don't see any point in it.

Cheers,

        Tom

-----Original Message-----
From: Thomas Luening [mailto:t...@thlu.de] 
Sent: Sunday, April 12, 2020 11:51 AM
Cc: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] Note on cert-error (already solved, but one
question)

Am 10.04.20 um 19:50 schrieb Gert Doering:

> Since you usually do not hand out multiple server certs, it's much 
> less important to ensure that a connecting client really has a 
> *client* cert, and not a "server cert he got from somewhere".

Hello Gert

Thank you very much for your answer. Is the following conclusion based on
this correct when a client connects to a server via the Internet?

With 'remote-cert-tls server' in Client.conf the client instance checks that
the server side is really the server cert. And with 'remote-cert-tls client'
in Server.conf the server instance checks that it is a proper client cert on
the client side. Both are additional checks that are intended to prevent or
make it more difficult for a wrong client to pretend to be the right client
and a wrong server to pretend to be the right server.

Against this background, mutual checks with the respective statement on both
machines (client and server) would make sense. 
Would you agree with this conclusion?

Sorry if I often have to ask again, but it is often very difficult for me to
interpret online translated text correctly. 
Sometimes there are more questions afterwards than before and I don't know
if it was just the translation that misled me.

Best Regards
Tom


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to