diff options
| author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2005-11-12 08:26:57 +0000 |
|---|---|---|
| committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2005-11-12 08:26:57 +0000 |
| commit | 411e89ae6fa195885dc13c594235893c22cb33d8 (patch) | |
| tree | 27126306bc8185ef538127bc5f03052be898814d /openvpn.8 | |
| parent | 9423103dab10cd5b933e4f6e574f37e33457ca96 (diff) | |
| download | openvpn-411e89ae6fa195885dc13c594235893c22cb33d8.tar.gz openvpn-411e89ae6fa195885dc13c594235893c22cb33d8.tar.xz openvpn-411e89ae6fa195885dc13c594235893c22cb33d8.zip | |
Merged --remote-cert-ku, --remote-cert-eku, and
--remote-cert-tls from Alon's branch:
svn merge -r 793:796 $SO/contrib/alon/BETA21/openvpn .
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@797 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'openvpn.8')
| -rw-r--r-- | openvpn.8 | 55 |
1 files changed, 55 insertions, 0 deletions
@@ -225,6 +225,9 @@ openvpn \- secure IP tunnel daemon. [\ \fB\-\-remap\-usr1\fR\ \fIsignal\fR\ ] [\ \fB\-\-remote\-random\fR\ ] [\ \fB\-\-remote\fR\ \fIhost\ [port]\fR\ ] +[\ \fB\-\-remote\-cert\-ku\ \fIv...\fR\ ] +[\ \fB\-\-remote\-cert\-eku\ \fIoid\fR\ ] +[\ \fB\-\-remote\-cert\-tls\ \fIt\fR\ ] [\ \fB\-\-reneg\-bytes\fR\ \fIn\fR\ ] [\ \fB\-\-reneg\-pkts\fR\ \fIn\fR\ ] [\ \fB\-\-reneg\-sec\fR\ \fIn\fR\ ] @@ -4044,6 +4047,58 @@ or .B --tls-verify. .\"********************************************************* .TP +.B --remote-cert-ku v... +Require that peer certificate was signed with an explicit +.B key usage. + +This is useful security option for clients, to ensure that +the host they connect with is a designated server. + +The key usage should be encoded in hex, more than one key +usage can be specified. +.\"********************************************************* +.TP +.B --remote-cert-eku oid +Require that peer certificate was signed with an explicit +.B extended key usage. + +This is useful security option for clients, to ensure that +the host they connect with is a designated server. + +The extended key usage should be encoded in oid notation, or +OpenSSL symbolic representation. +.\"********************************************************* +.TP +.B --remote-cert-tls client|server +Require that peer certificate was signed with an explicit +.B key usage +and +.B extended key usage +based on TLS rules. + +This is a useful security option for clients, to ensure that +the host they connect with is a designated server. + +The +.B --remote-cert-tls client +option is equivalent to +.B --remote-cert-ku 80 08 88 --remote-cert-eku \fB"TLS Web Client Authentication" + +The +.B --remote-cert-tls server +option is equivalent to +.B --remote-cert-ku a0 08 --remote-cert-eku \fB"TLS Web Server Authentication" + +This is an important security precaution to protect against +a man-in-the-middle attack where an authorized client +attempts to connect to another client by impersonating the server. +The attack is easily prevented by having clients verify +the server certificate using any one of +.B --remote-cert-tls, --tls-remote, +or +.B --tls-verify. +.\"********************************************************* +.TP .B --crl-verify crl Check peer certificate against the file .B crl |