Project

General

Profile

Actions
Copy link

Bug #1587

closed

The openvpn client configuration exporter doesn't enforce TLS subject verification

Added by Florent Daigniere over 13 years ago. Updated over 13 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
-
Start date:
06/08/2011
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.0
Affected Plus Version:
Affected Architecture:
All

Description

Hi,

The openvpn client configuration exporter doesn't enforce TLS subject verification. This leads to a security vulnerability whereby if an attacker is in possession of any certificate signed by the CA, he can perform an active MitM attack against other peers. "clients" of the server are in that situation and can man-in-the-middle each other.

The proper way of doing things is to use "tls-remote" to ensure no MITM is taking place and the server the client is connecting to is the right one.

Something like the following should be added to /usr/local/pkg/openvpn-client-export.inc ... except it requires the CN and not the full subject (my php sucks)

$conf .= "tls-remote ".cert_get_subject($server_cert['crt'])."\n";

Actions
Copy link
 #1

Updated by Jim Pingle over 13 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:e366b753b24d8cadbe15bc6778e46c3159dc9983.

Actions
Copy link
 #2

Updated by Chris Buechler over 13 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF