Actions
Bug #1587
closedThe openvpn client configuration exporter doesn't enforce TLS subject verification
Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
-
Start date:
06/08/2011
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Affected Version:
2.0
Affected Plus Version:
Affected Architecture:
All
Description
Hi,
The openvpn client configuration exporter doesn't enforce TLS subject verification. This leads to a security vulnerability whereby if an attacker is in possession of any certificate signed by the CA, he can perform an active MitM attack against other peers. "clients" of the server are in that situation and can man-in-the-middle each other.
The proper way of doing things is to use "tls-remote" to ensure no MITM is taking place and the server the client is connecting to is the right one.
Something like the following should be added to /usr/local/pkg/openvpn-client-export.inc ... except it requires the CN and not the full subject (my php sucks)
$conf .= "tls-remote ".cert_get_subject($server_cert['crt'])."\n";
Actions