--ns-cert-type client|server
Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server".
This is a useful security option for clients, to ensure that the host they connect with is a designated server.
See the easy-rsa/build-key-server script for an example of how to generate a certificate with the nsCertType field set to "server".
If the server certificate's nsCertType field is set to "server", then the clients can verify this with --ns-cert-type server.
This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert-type, --tls-remote, or --tls-verify.
Question
I know what this is used for:
--ns-cert-type server
but what is this used for? And how does it work?
--ns-cert-type client
Good morning! Need a little advice as to which direction I should choose when it comes to certifications. My current position now is a RH Linux Administrator, and have been in the position for about 4 months. We are currently running RHEL 6.8 VM's, with no plans to moving to RHEL 7 no time soon... (0 Replies)
Hi.
I am attempting to set up an OpenVPN server on my Solaris 11 box by following all the Linux guides. Thus far I have a working VPN that I can connect to and ssh onto my VPN server over which is great but not what I require long term.
I would like to route all VPN client requests for addresses... (0 Replies)
Hey all,
I'm trying to get openvpn working on DD-WRT router.
I can make a connection inside my lan, but outside the connection is yellow. I think yellow means it is close to making a connection, but it never completes the connection. So I believe there is a problem with my iptables since it... (0 Replies)
Hello gurus ,
I have a vmware machine on xp wich holds a FREBSD 8.0 BETA2 i386
my xp ip is 192.168.0.12
my freebsd le0 ( ext iface, vmware bridged ) is 192.168.0.105 ( can ping google; etc...)
my freebsd le2 (int iface, vmware local only) is 192.168.141.5
my freebsd le1 is disabled as... (0 Replies)
Dear colleagues,
One of my friend have a problem with c code. While compiling a c program it displays a message like
"array type has incomplete element type". Any body can provide a solution for it.
Jaganadh.G (1 Reply)
NE_SSL_CERT_IDENTITY(3) neon API reference NE_SSL_CERT_IDENTITY(3)NAME
ne_ssl_cert_identity, ne_ssl_cert_signedby, ne_ssl_cert_issuer, ne_ssl_cert_subject - functions to access certificate properties
SYNOPSIS
#include <ne_ssl.h>
const char *ne_ssl_cert_identity(const ne_ssl_certificate *cert);
const ne_ssl_certificate *ne_ssl_cert_signedby(const ne_ssl_certificate *cert);
const ne_ssl_dname *ne_ssl_cert_subject(const ne_ssl_certificate *cert);
const ne_ssl_dname *ne_ssl_cert_issuer(const ne_ssl_certificate *cert);
DESCRIPTION
The function ne_ssl_cert_identity retrieves the "identity" of a certificate; for an SSL server certificate, this will be the hostname for
which the certificate was issued. In PKI parlance, the identity is the common name attribute of the distinguished name of the certificate
subject.
The functions ne_ssl_cert_subject and ne_ssl_cert_issuer can be used to access the objects representing the distinguished name of the
subject and of the issuer of a certificate, respectively.
If a certificate object is part of a certificate chain, then ne_ssl_cert_signedby can be used to find the certificate which signed a
particular certificate. For a self-signed certificate or a certificate for which the full chain is not available, this function will return
NULL.
RETURN VALUE
ne_ssl_cert_issuer and ne_ssl_cert_subject are guaranteed to never return NULL. ne_ssl_cert_identity may return NULL if the certificate
has no specific "identity". ne_ssl_cert_signedby may return NULL as covered above.
EXAMPLES
The following function could be used to display information about a given certificate:
void dump_cert(const ne_ssl_certificate *cert) {
const char *id = ne_ssl_cert_identity(cert);
char *dn;
if (id)
printf("Certificate was issued for '%s'.
", id);
dn = ne_ssl_readable_dname(ne_ssl_cert_subject(cert));
printf("Subject: %s
", dn);
free(dn);
dn = ne_ssl_readable_dname(ne_ssl_cert_issuer(cert));
printf("Issuer: %s
", dn);
free(dn);
}
SEE ALSO
ne_ssl_cert_cmp, ne_ssl_readable_dname
AUTHOR
Joe Orton <neon@lists.manyfish.co.uk>
Author.
COPYRIGHT neon 0.28.4 25 February 2009 NE_SSL_CERT_IDENTITY(3)