This switches OpenVPN tunnel from Blowfish with SHA-1 HMAC to
128-bit AES with SHA-256 HMAC.
Moreover, client configuration now requires that server certificate is
permitted to be used for server authentication (as signalled by the
certificate's Key Usage and Extended Key Usage extensions). This is to
prevent one client of the server from being able to use its client
certificate to MiTM other clients of the server. This is needed
because in the current setup server and client certs are issued from
the same CA.
klyubin
commented
7 years ago
This switches OpenVPN tunnel from Blowfish with SHA-1 HMAC to 128-bit AES with SHA-256 HMAC.
Moreover, client configuration now requires that server certificate is permitted to be used for server authentication (as signalled by the certificate's Key Usage and Extended Key Usage extensions). This is to prevent one client of the server from being able to use its client certificate to MiTM other clients of the server. This is needed because in the current setup server and client certs are issued from the same CA.