longzuyuan / ics-openvpn

Automatically exported from code.google.com/p/ics-openvpn
0 stars 0 forks source link

add remote-cert-tls as a recognized option #124

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Recognize this option. Currently it's added as custom configuration.

remote-cert-tls server

From the manual:

--remote-cert-tls client|server
Require that peer certificate was signed with an explicit key usage  and  
extended key usage based on RFC3280 TLS rules.

This is a useful security option for clients, to ensure that the host they 
connect to is a designated server.

This is an important security precaution to protect  against  a  
man-in-the-middleattack  where an authorized client attempts to connect to 
another client by impersonating the server.  The attack is easily prevented by 
having clients verify  the server certificate using any one of 
--remote-cert-tls, --tls-remote, or --tls-verify.

Also there's a typo in the current warning message, it should say "could not be 
parsed", the word "not" is missing.

Original issue reported on code.google.com by aleksand...@gmail.com on 22 Dec 2012 at 4:12

Attachments:

GoogleCodeExporter commented 9 years ago
This issue was closed by revision 597822e28971.

Original comment by arne@rfc2549.org on 22 Dec 2012 at 10:26