OpenVPN 2.09 ns-cert-type ???

Login or Register to Ask a Question and Join Our Community

OpenVPN 2.09 ns-cert-type ???

Tags

Login to Discuss or Reply to this Discussion in Our Community

Top Forums UNIX for Advanced & Expert Users OpenVPN 2.09 ns-cert-type ???

05-15-2007

Registered User

31, 0

Join Date: Sep 2006

Last Activity: 16 May 2007, 6:43 PM EDT

Posts: 31

Thanks Given: 0

Thanked 0 Times in 0 Posts

OpenVPN 2.09 ns-cert-type ???

--ns-cert-type client|server
Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server".

This is a useful security option for clients, to ensure that the host they connect with is a designated server.

See the easy-rsa/build-key-server script for an example of how to generate a certificate with the nsCertType field set to "server".

If the server certificate's nsCertType field is set to "server", then the clients can verify this with --ns-cert-type server.

This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert-type, --tls-remote, or --tls-verify.

Question
I know what this is used for:
--ns-cert-type server

but what is this used for? And how does it work?
--ns-cert-type client

kungpow

View Public Profile for kungpow

Find all posts by kungpow

Login or Register to Ask a Question

Previous Thread | Next Thread

7 More Discussions You Might Find Interesting

1. Red Hat

Cert Question

Good morning! Need a little advice as to which direction I should choose when it comes to certifications. My current position now is a RH Linux Administrator, and have been in the position for about 4 months. We are currently running RHEL 6.8 VM's, with no plans to moving to RHEL 7 no time soon...

2. Solaris

OpenVPN and NAT

Hi. I am attempting to set up an OpenVPN server on my Solaris 11 box by following all the Linux guides. Thus far I have a working VPN that I can connect to and ssh onto my VPN server over which is great but not what I require long term. I would like to route all VPN client requests for addresses...

3. UNIX for Dummies Questions & Answers

iptables for openvpn

Hey all, I'm trying to get openvpn working on DD-WRT router. I can make a connection inside my lan, but outside the connection is yellow. I think yellow means it is close to making a connection, but it never completes the connection. So I believe there is a problem with my iptables since it...

4. IP Networking

OPENVPN on FREEBSD

Hello gurus , I have a vmware machine on xp wich holds a FREBSD 8.0 BETA2 i386 my xp ip is 192.168.0.12 my freebsd le0 ( ext iface, vmware bridged ) is 192.168.0.105 ( can ping google; etc...) my freebsd le2 (int iface, vmware local only) is 192.168.141.5 my freebsd le1 is disabled as...

5. Programming

array type has incomplete element type

Dear colleagues, One of my friend have a problem with c code. While compiling a c program it displays a message like "array type has incomplete element type". Any body can provide a solution for it. Jaganadh.G

6. Cybersecurity

RV082 with OpenVPN and/or isakmpd

Has anyone gotten either isakmpd or OpenVPN working with a Linksys RV082? Would you be willing to share a conf file? Thanks!

7. UNIX for Dummies Questions & Answers

Solaris 8 Cert.

Does anyone have the question or a practice exam for the Solaris 8 Certification. If so email me at

Login or Register to Ask a Question

LEARN ABOUT DEBIAN

ne_ssl_cert_subject

NE_SSL_CERT_IDENTITY(3) 					neon API reference					   NE_SSL_CERT_IDENTITY(3)

NAME

       ne_ssl_cert_identity, ne_ssl_cert_signedby, ne_ssl_cert_issuer, ne_ssl_cert_subject - functions to access certificate properties

SYNOPSIS

       #include <ne_ssl.h>

       const char *ne_ssl_cert_identity(const ne_ssl_certificate *cert);

       const ne_ssl_certificate *ne_ssl_cert_signedby(const ne_ssl_certificate *cert);

       const ne_ssl_dname *ne_ssl_cert_subject(const ne_ssl_certificate *cert);

       const ne_ssl_dname *ne_ssl_cert_issuer(const ne_ssl_certificate *cert);

DESCRIPTION

       The function ne_ssl_cert_identity retrieves the "identity" of a certificate; for an SSL server certificate, this will be the hostname for
       which the certificate was issued. In PKI parlance, the identity is the common name attribute of the distinguished name of the certificate
       subject.

       The functions ne_ssl_cert_subject and ne_ssl_cert_issuer can be used to access the objects representing the distinguished name of the
       subject and of the issuer of a certificate, respectively.

       If a certificate object is part of a certificate chain, then ne_ssl_cert_signedby can be used to find the certificate which signed a
       particular certificate. For a self-signed certificate or a certificate for which the full chain is not available, this function will return
       NULL.

RETURN VALUE

       ne_ssl_cert_issuer and ne_ssl_cert_subject are guaranteed to never return NULL.	ne_ssl_cert_identity may return NULL if the certificate
       has no specific "identity".  ne_ssl_cert_signedby may return NULL as covered above.

EXAMPLES

       The following function could be used to display information about a given certificate:

	   void dump_cert(const ne_ssl_certificate *cert) {
	     const char *id = ne_ssl_cert_identity(cert);
	     char *dn;

	     if (id)
	       printf("Certificate was issued for '%s'.
", id);

	     dn = ne_ssl_readable_dname(ne_ssl_cert_subject(cert));
	     printf("Subject: %s
", dn);
	     free(dn);

	     dn = ne_ssl_readable_dname(ne_ssl_cert_issuer(cert));
	     printf("Issuer: %s
", dn);
	     free(dn);
	   }

SEE ALSO

       ne_ssl_cert_cmp, ne_ssl_readable_dname

AUTHOR

       Joe Orton <neon@lists.manyfish.co.uk>
	   Author.

COPYRIGHT

neon 0.29.6							    3 May 2011						   NE_SSL_CERT_IDENTITY(3)