From 411e89ae6fa195885dc13c594235893c22cb33d8 Mon Sep 17 00:00:00 2001 From: james Date: Sat, 12 Nov 2005 08:26:57 +0000 Subject: Merged --remote-cert-ku, --remote-cert-eku, and --remote-cert-tls from Alon's branch: svn merge -r 793:796 $SO/contrib/alon/BETA21/openvpn . git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@797 e7ae566f-a301-0410-adde-c780ea21d3b5 --- openvpn.8 | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) (limited to 'openvpn.8') diff --git a/openvpn.8 b/openvpn.8 index 0c634a9..7d14524 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -225,6 +225,9 @@ openvpn \- secure IP tunnel daemon. [\ \fB\-\-remap\-usr1\fR\ \fIsignal\fR\ ] [\ \fB\-\-remote\-random\fR\ ] [\ \fB\-\-remote\fR\ \fIhost\ [port]\fR\ ] +[\ \fB\-\-remote\-cert\-ku\ \fIv...\fR\ ] +[\ \fB\-\-remote\-cert\-eku\ \fIoid\fR\ ] +[\ \fB\-\-remote\-cert\-tls\ \fIt\fR\ ] [\ \fB\-\-reneg\-bytes\fR\ \fIn\fR\ ] [\ \fB\-\-reneg\-pkts\fR\ \fIn\fR\ ] [\ \fB\-\-reneg\-sec\fR\ \fIn\fR\ ] @@ -4044,6 +4047,58 @@ or .B --tls-verify. .\"********************************************************* .TP +.B --remote-cert-ku v... +Require that peer certificate was signed with an explicit +.B key usage. + +This is useful security option for clients, to ensure that +the host they connect with is a designated server. + +The key usage should be encoded in hex, more than one key +usage can be specified. +.\"********************************************************* +.TP +.B --remote-cert-eku oid +Require that peer certificate was signed with an explicit +.B extended key usage. + +This is useful security option for clients, to ensure that +the host they connect with is a designated server. + +The extended key usage should be encoded in oid notation, or +OpenSSL symbolic representation. +.\"********************************************************* +.TP +.B --remote-cert-tls client|server +Require that peer certificate was signed with an explicit +.B key usage +and +.B extended key usage +based on TLS rules. + +This is a useful security option for clients, to ensure that +the host they connect with is a designated server. + +The +.B --remote-cert-tls client +option is equivalent to +.B --remote-cert-ku 80 08 88 --remote-cert-eku \fB"TLS Web Client Authentication" + +The +.B --remote-cert-tls server +option is equivalent to +.B --remote-cert-ku a0 08 --remote-cert-eku \fB"TLS Web Server Authentication" + +This is an important security precaution to protect against +a man-in-the-middle attack where an authorized client +attempts to connect to another client by impersonating the server. +The attack is easily prevented by having clients verify +the server certificate using any one of +.B --remote-cert-tls, --tls-remote, +or +.B --tls-verify. +.\"********************************************************* +.TP .B --crl-verify crl Check peer certificate against the file .B crl -- cgit