Project

General

Profile

Actions

Bug #1587

closed

The openvpn client configuration exporter doesn't enforce TLS subject verification

Added by Florent Daigniere over 13 years ago. Updated over 13 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
-
Start date:
06/08/2011
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.0
Affected Plus Version:
Affected Architecture:
All

Description

Hi,

The openvpn client configuration exporter doesn't enforce TLS subject verification. This leads to a security vulnerability whereby if an attacker is in possession of any certificate signed by the CA, he can perform an active MitM attack against other peers. "clients" of the server are in that situation and can man-in-the-middle each other.

The proper way of doing things is to use "tls-remote" to ensure no MITM is taking place and the server the client is connecting to is the right one.

Something like the following should be added to /usr/local/pkg/openvpn-client-export.inc ... except it requires the CN and not the full subject (my php sucks)

$conf .= "tls-remote ".cert_get_subject($server_cert['crt'])."\n";

Actions

Also available in: Atom PDF