summaryrefslogtreecommitdiffstats
path: root/sample/sample-config-files/client.conf
diff options
context:
space:
mode:
authorSteffan Karger <steffan@karger.me>2014-10-23 00:14:29 +0200
committerGert Doering <gert@greenie.muc.de>2014-11-15 17:45:10 +0100
commit13b2313ace9797fc6b6ba8980ae592c930e16ee9 (patch)
treefc35814d9385f4cef227489e3bb0c9de69ad3677 /sample/sample-config-files/client.conf
parent6cb15b908a64b69b715fa8b2d60c71c6d9d3f9fc (diff)
downloadopenvpn-13b2313ace9797fc6b6ba8980ae592c930e16ee9.tar.gz
openvpn-13b2313ace9797fc6b6ba8980ae592c930e16ee9.tar.xz
openvpn-13b2313ace9797fc6b6ba8980ae592c930e16ee9.zip
Modernize sample keys and sample configs
I kept most of the certificate properties equal to the old certs, since some people's test scripts might rely on them (and it does not require any creativity from my part). Changes: * Add script to generate fresh test/sample keys (but keep sample keys in git for simple testing) * Switch from 1024 to 4096 bits RSA CA * Switch from 1024 to 2048 bits client/server RSA keys * Switch from 1024 to 2048 bits Diffie-Hellman parameters * Generate EC client and server cert, but sign with RSA CA (lets us test EC <-> RSA interoperability) * Remove 3DES cipher from 'sample' config * Add 'remote-cert-tls server' to client config * Update config files to deprecate nsCertType in favour of the keyUsage and extendedKeyUsage extensions. * Make naming more consistent Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Samuli Seppänen <samuli@openvpn.net> Message-Id: <CAA1AbxKZr_E6Wk9GBbB3xpLyJzyBxSa1k21UDXnC90d8refUzw@mail.gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9226 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'sample/sample-config-files/client.conf')
-rw-r--r--sample/sample-config-files/client.conf17
1 files changed, 9 insertions, 8 deletions
diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf
index 58b2038..050ef60 100644
--- a/sample/sample-config-files/client.conf
+++ b/sample/sample-config-files/client.conf
@@ -89,18 +89,19 @@ ca ca.crt
cert client.crt
key client.key
-# Verify server certificate by checking
-# that the certicate has the nsCertType
-# field set to "server". This is an
-# important precaution to protect against
+# Verify server certificate by checking that the
+# certicate has the correct key usage set.
+# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
-# your server certificates with the nsCertType
-# field set to "server". The build-key-server
-# script in the easy-rsa folder will do this.
-ns-cert-type server
+# your server certificates with the keyUsage set to
+# digitalSignature, keyEncipherment
+# and the extendedKeyUsage to
+# serverAuth
+# EasyRSA can do this for you.
+remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.