pfSense

Hi,

I'm running psSense 2.0-BETA4 (i386) built on Mon Dec 20 20:21:46 EST 2010. Loving it so far!

I am setting up an OpenVPN server and I am using pfSense's Certificate Manager to create the certificates. I have created all of the necessary certificates and keys (e.g. ca, server, client) and configured the OpenVPN server on pfSense and an OpenVPN client on Windows XP.

When I set up the client configuration file, I used the sample client configuration file included with OpenVPN as a template. Then I changed certain settings as needed (e.g. remote server address).

Initially, I couldn't connect from the client. I tracked it down to this error in the OpenVPN log on the client side (confidential parts obfuscated with ###):

Fri Jan 07 09:46:13 2011 VERIFY nsCertType ERROR: /C=###/ST=###/L=###/O=###/emailAddress=###@###.com/CN=###, require nsCertType=SERVER

I was able to workaround the problem and successfully connect by commenting out (with a ';' character) the following line in the client configuration:

ns-cert-type server

The comment above that setting recommends using the setting (i.e. not commenting it out) to prevent a possible man in the middle attack:

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.

For now, I'm okay with commenting out that setting. However, I would prefer if pfSense's Certificate Manager would give you the option of adding extensions to certificates (in this case, the extension nsCertType=SERVER). As far as I know, there is no way to do it with the current web interface.

Feature Request: Could you please add this option to the Certificate Manager web interface?