Option to validate OpenVPN peer TLS certificate key usage
As an additional security measure
–remote-cert-tls client|serverRequire that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. This is a useful security option for clients, to ensure that the host they connect to is a designated server. Or the other way around; for a server to verify that only hosts with a client certificate can connect. The –remote-cert-tls client option is equivalent to –remote-cert-ku –remote-cert-eku “TLS Web Client Authentication” The –remote-cert-tls server option is equivalent to –remote-cert-ku –remote-cert-eku “TLS Web Server Authentication” This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of –remote-cert-tls, –verify-x509-name, or –tls-verify.
Updated by Viktor Gurov almost 2 years ago
Updated by Danilo Zrenjanin about 1 year ago
- Status changed from Feedback to Resolved
2.6.0-RC (amd64) built on Mon Jan 24 18:44:12 UTC 2022 FreeBSD 12.3-STABLE
I checked the OpenVPN server config file after checking the Client Certificate Key Usage Validation option in the server setup, and it contained the remote-cert-tls client option.
Freshly exported client configuration file contained remote-cert-tls server.
It looks fine. Ticket resolved.