diff options
author | Steffan Karger <steffan@karger.me> | 2014-10-23 00:14:29 +0200 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2014-11-15 17:45:10 +0100 |
commit | 13b2313ace9797fc6b6ba8980ae592c930e16ee9 (patch) | |
tree | fc35814d9385f4cef227489e3bb0c9de69ad3677 /sample/sample-config-files/client.conf | |
parent | 6cb15b908a64b69b715fa8b2d60c71c6d9d3f9fc (diff) | |
download | openvpn-13b2313ace9797fc6b6ba8980ae592c930e16ee9.tar.gz openvpn-13b2313ace9797fc6b6ba8980ae592c930e16ee9.tar.xz openvpn-13b2313ace9797fc6b6ba8980ae592c930e16ee9.zip |
Modernize sample keys and sample configs
I kept most of the certificate properties equal to the old
certs, since some people's test scripts might rely on them (and
it does not require any creativity from my part).
Changes:
* Add script to generate fresh test/sample keys
(but keep sample keys in git for simple testing)
* Switch from 1024 to 4096 bits RSA CA
* Switch from 1024 to 2048 bits client/server RSA keys
* Switch from 1024 to 2048 bits Diffie-Hellman parameters
* Generate EC client and server cert, but sign with RSA CA
(lets us test EC <-> RSA interoperability)
* Remove 3DES cipher from 'sample' config
* Add 'remote-cert-tls server' to client config
* Update config files to deprecate nsCertType in favour of the
keyUsage and extendedKeyUsage extensions.
* Make naming more consistent
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Message-Id: <CAA1AbxKZr_E6Wk9GBbB3xpLyJzyBxSa1k21UDXnC90d8refUzw@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9226
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'sample/sample-config-files/client.conf')
-rw-r--r-- | sample/sample-config-files/client.conf | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 58b2038..050ef60 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -89,18 +89,19 @@ ca ca.crt cert client.crt key client.key -# Verify server certificate by checking -# that the certicate has the nsCertType -# field set to "server". This is an -# important precaution to protect against +# Verify server certificate by checking that the +# certicate has the correct key usage set. +# This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate -# your server certificates with the nsCertType -# field set to "server". The build-key-server -# script in the easy-rsa folder will do this. -ns-cert-type server +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. +remote-cert-tls server # If a tls-auth key is used on the server # then every client must also have the key. |