Project

General

Profile

Feature #11865

Add 'remote-cert-tls client/server' option

Added by Viktor Gurov about 2 months ago. Updated about 2 months ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
04/28/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

As an additional security measure

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/:

–remote-cert-tls client|serverRequire that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.

This is a useful security option for clients, to ensure that the host they connect to is a designated server. Or the other way around; for a server to verify that only hosts with a client certificate can connect.

The –remote-cert-tls client option is equivalent to –remote-cert-ku –remote-cert-eku “TLS Web Client Authentication”

The –remote-cert-tls server option is equivalent to –remote-cert-ku –remote-cert-eku “TLS Web Server Authentication”

This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of –remote-cert-tls, –verify-x509-name, or –tls-verify.

History

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0

Also available in: Atom PDF