-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, 6 April 2021 18:14, Gert Doering <g...@greenie.muc.de> wrote: > Hi, > > On Tue, Apr 06, 2021 at 04:39:06PM +0000, tincantech via Openvpn-users wrote: > > > can somebody please explain why --tls-verify is run for the server > > certificate ? > > EG: certificate_depth=1 > > I cannot find a reason to drop a remote client based on the server > > certificate. > > Calling --tls-verify to verify my server certificate seems to be a waste of > > server resources and connection setup time. > > That shouldn't be the server certificate. Depending on your CA setup > it's either the (root) CA or an intermediate CA cert. > Indeed it is, in my case the root CA. I am curious though, AFAICT, all the data for the first call to verify the CA is also (mostly?) available in the second call as. for example tls_serial_hex_1. Is the first call to --tls-verify for the CA actually necessary ? What can I only verify in the first call which cannot be done in the second call ? Like i said, just curiosity .. maybe i'll figure it out myself if I try harder! Thanks R -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJgbJ1YACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3fgwgAuyoSZy91cWuLrEz/T3uGr9w6qWLPnTWBqhaP0ueBbYzxOp4k E9crXFJtMfrJ3xNFJ3NWIF0kQOFvBBrUr4iV4Q4CIWg+oEaQVob4OtW52V1W 2pd4W8fLfgY/m7AFsDwOeQ7PAbFAYbfM+i0Z4vbFmE+oSrwjgg2yRcMQhO4a B8atpq0XudMcZCI6+3TYcxeka0WAPj101SV8CQG8a5iJx/2UJepcKD7y3oMI /8tgQRCF4BORU6RgvyCqdPmJsxHEgyiRLPRvzZZlCoIWH0T74h1SPawebDxt N9VOzvzViPKO2lHxR2m+qa3xkHkQNHXlC/vjEhFij20rDm5YqLuqjg== =paaM -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
