Project

General

Profile

Actions
Copy link

Feature #11865

closed

Option to validate OpenVPN peer TLS certificate key usage

Added by Viktor Gurov over 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
OpenVPN
Target version:
2.6.0
Start date:
04/28/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default

Description

As an additional security measure

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/:

–remote-cert-tls client|serverRequire that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.

This is a useful security option for clients, to ensure that the host they connect to is a designated server. Or the other way around; for a server to verify that only hosts with a client certificate can connect.

The –remote-cert-tls client option is equivalent to –remote-cert-ku –remote-cert-eku “TLS Web Client Authentication”

The –remote-cert-tls server option is equivalent to –remote-cert-ku –remote-cert-eku “TLS Web Server Authentication”

This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of –remote-cert-tls, –verify-x509-name, or –tls-verify.

Related issues

Related to Regression #13056: OpenVPN ``remote_cert_tls`` option does not behave correctly when enabled and later disabledResolvedViktor Gurov

Actions
Actions
Copy link
 #2

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0
Actions
Copy link
 #3

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov
  • Plus Target Version set to 21.09

PR has been merged. Thanks!

Actions
Copy link
 #4

Updated by Viktor Gurov over 3 years ago

  • % Done changed from 0 to 100
Actions
Copy link
 #5

Updated by Jim Pingle over 3 years ago

  • Subject changed from Add 'remote-cert-tls client/server' option to Option to validate OpenVPN peer TLS certificate key usage

Updating subject for release notes.

Actions
Copy link
 #6

Updated by Jim Pingle about 3 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions
Copy link
 #7

Updated by Danilo Zrenjanin almost 3 years ago

  • Status changed from Feedback to Resolved

Tested against:

2.6.0-RC (amd64)
built on Mon Jan 24 18:44:12 UTC 2022
FreeBSD 12.3-STABLE

I checked the OpenVPN server config file after checking the Client Certificate Key Usage Validation option in the server setup, and it contained the remote-cert-tls client option.

Freshly exported client configuration file contained remote-cert-tls server.

It looks fine. Ticket resolved.

Actions
Copy link
 #8

Updated by Viktor Gurov over 2 years ago

  • Related to Regression #13056: OpenVPN ``remote_cert_tls`` option does not behave correctly when enabled and later disabled added
Actions
Copy link

Also available in: Atom PDF