Login or Register to Ask a Question and Join Our Community


UNIX for Advanced & Expert Users

OpenVPN 2.09 ns-cert-type ???

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users OpenVPN 2.09 ns-cert-type ???
# 1  
Old 05-15-2007
OpenVPN 2.09 ns-cert-type ???
--ns-cert-type client|server
Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server".

This is a useful security option for clients, to ensure that the host they connect with is a designated server.

See the easy-rsa/build-key-server script for an example of how to generate a certificate with the nsCertType field set to "server".

If the server certificate's nsCertType field is set to "server", then the clients can verify this with --ns-cert-type server.

This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert-type, --tls-remote, or --tls-verify.

Question
I know what this is used for:
--ns-cert-type server

but what is this used for? And how does it work?
--ns-cert-type client
Login or Register to Ask a Question

Previous Thread | Next Thread

7 More Discussions You Might Find Interesting

1. Red Hat

Cert Question

Good morning! Need a little advice as to which direction I should choose when it comes to certifications. My current position now is a RH Linux Administrator, and have been in the position for about 4 months. We are currently running RHEL 6.8 VM's, with no plans to moving to RHEL 7 no time soon... (0 Replies)
Discussion started by: spiveyb
0 Replies

2. Solaris

OpenVPN and NAT

Hi. I am attempting to set up an OpenVPN server on my Solaris 11 box by following all the Linux guides. Thus far I have a working VPN that I can connect to and ssh onto my VPN server over which is great but not what I require long term. I would like to route all VPN client requests for addresses... (0 Replies)
Discussion started by: nickb1976
0 Replies

3. UNIX for Dummies Questions & Answers

iptables for openvpn

Hey all, I'm trying to get openvpn working on DD-WRT router. I can make a connection inside my lan, but outside the connection is yellow. I think yellow means it is close to making a connection, but it never completes the connection. So I believe there is a problem with my iptables since it... (0 Replies)
Discussion started by: sdnix
0 Replies

4. IP Networking

OPENVPN on FREEBSD

Hello gurus , I have a vmware machine on xp wich holds a FREBSD 8.0 BETA2 i386 my xp ip is 192.168.0.12 my freebsd le0 ( ext iface, vmware bridged ) is 192.168.0.105 ( can ping google; etc...) my freebsd le2 (int iface, vmware local only) is 192.168.141.5 my freebsd le1 is disabled as... (0 Replies)
Discussion started by: cozsmin
0 Replies

5. Programming

array type has incomplete element type

Dear colleagues, One of my friend have a problem with c code. While compiling a c program it displays a message like "array type has incomplete element type". Any body can provide a solution for it. Jaganadh.G (1 Reply)
Discussion started by: jaganadh
1 Replies

6. Cybersecurity

RV082 with OpenVPN and/or isakmpd

Has anyone gotten either isakmpd or OpenVPN working with a Linksys RV082? Would you be willing to share a conf file? Thanks! (0 Replies)
Discussion started by: vertigo23
0 Replies

7. UNIX for Dummies Questions & Answers

Solaris 8 Cert.

Does anyone have the question or a practice exam for the Solaris 8 Certification. If so email me at (1 Reply)
Discussion started by: aojmoj
1 Replies
Login or Register to Ask a Question

LEARN ABOUT SUSE

stap-authorize-signing-cert

STAP-AUTHORIZE-SIGNING-CERT(8)				      System Manager's Manual				    STAP-AUTHORIZE-SIGNING-CERT(8)

NAME

       stap-authorize-signing-cert - systemtap signing authorization utility

SYNOPSIS

       stap-authorize-signing-cert CERTFILE [ DIRNAME ]

DESCRIPTION

       The  staprun program will load modules for members of the group stapusr if they are signed by a trusted signer. A trusted signer is usually
       a systemtap compile server which signs modules when the client (stap-client) specifies the --unprivileged option.

       The trustworthiness of a given signer can not be determined automatically without a trusted certificate authority issuing systemtap signing
       certificates.  This is not practical in everyday use and so, staprun must authenticate servers against its own database of trusted signers.
       In this context, establishing a given signer as trusted means adding that signer's certificate to staprun's database of trusted signers.

       The stap-authorize-signing-cert program adds the given signing certificate to the given certificate database, making that signer a  trusted
       server for staprun when using that database.

ARGUMENTS

       The stap-authorize-signing-cert program accepts two arguments:

       CERTFILE
	      This  is the name of the file containing the certificate of the new trusted signer.  For systemtap compile servers, this is the file
	      named stap.cert which can be found in the server's certificate database.	On the server host, for servers started by the stap-server
	      service,	this  database can be found in /var/lib/stap-server/.systemtap/ssl/server/.  For servers run by other non-root users, this
	      database can be found in $HOME/.systemtap/ssl/server/.  For root users (EUID=0), it can be found in /etc/systemtap/ssl/server.

       DIRNAME
	      This optional argument is the name of the directory containing the certificate database to which the certificate is to be added.	If
	      not  specified,  the default is /etc/systemtap/staprun/.	That is, the default result is that all users on the local host will trust
	      this signer. Note that this default directory is only writable by root.

SAFETY AND SECURITY

       Systemtap is an administrative tool.  It exposes kernel internal data structures and potentially private user information.  See the stap(1)
       manual page for additional information on safety and security.

       Systemtap  uses	Network  Security  Services (NSS) for module signing and verification. The NSS tool certutil is used for the generation of
       certificates. The related certificate databases must be protected in order to maintain the security of the system.  Use	of  the  utilities
       provided  will  help to ensure that the proper protection is maintained. staprun will check for proper access permissions before making use
       of any certificate database.

FILES

       /etc/systemtap/staprun/
	      staprun's trusted signer certificate database.

       /var/lib/stap-server/.systemtap/ssl/server/stap.cert
	      Signing certificate for servers started by the stap-server service.

SEE ALSO

       stap(1), staprun(8), stap-server(8), stap-client(8), NSS, certutil

BUGS

       Use the Bugzilla link of the project web page or our mailing list.  http://sources.redhat.com/systemtap/, <systemtap@sources.redhat.com>.

Red Hat 							    2010-07-05					    STAP-AUTHORIZE-SIGNING-CERT(8)