OpenVPN 2.09 ns-cert-type ??? - UNIX for Advanced & Expert Users

kungpow · #1 (**permalink**) 05-15-2007

--ns-cert-type client|server
Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server".

This is a useful security option for clients, to ensure that the host they connect with is a designated server.

See the easy-rsa/build-key-server script for an example of how to generate a certificate with the nsCertType field set to "server".

If the server certificate's nsCertType field is set to "server", then the clients can verify this with --ns-cert-type server.

This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert-type, --tls-remote, or --tls-verify.

Question
I know what this is used for:
--ns-cert-type server

but what is this used for? And how does it work?
--ns-cert-type client

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
USN-612-3: OpenVPN vulnerability	iBot	Security Advisories (RSS)	0	05-13-2008 12:20 PM
Type I and Type II Errors - The Heart of Event Processing	iBot	Complex Event Processing RSS News	0	12-05-2007 02:50 PM
array type has incomplete element type	jaganadh	High Level Programming	1	07-24-2007 12:54 AM
Human readable type vs MIME type detection using file	spauldingsmails	Shell Programming and Scripting	0	03-21-2007 08:43 PM
Solaris 8 Cert.	aojmoj	UNIX for Dummies Questions & Answers	1	01-12-2003 07:26 PM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode