summaryrefslogtreecommitdiff
path: root/app/openvpn/sample/sample-config-files/client.conf
diff options
context:
space:
mode:
authorParménides GV <parmegv@sdf.org>2014-12-20 20:14:23 +0100
committerParménides GV <parmegv@sdf.org>2014-12-23 19:58:02 +0100
commitd6190becb1c48ee912b11a4206116d0fd4c90772 (patch)
tree1a8d7f85690ce56196855fa969e86b1e53d813f3 /app/openvpn/sample/sample-config-files/client.conf
parentb1219330faf64b2cd4330d44390fdec137b659b7 (diff)
Update ics-openvpn to 1006
Diffstat (limited to 'app/openvpn/sample/sample-config-files/client.conf')
-rw-r--r--app/openvpn/sample/sample-config-files/client.conf17
1 files changed, 9 insertions, 8 deletions
diff --git a/app/openvpn/sample/sample-config-files/client.conf b/app/openvpn/sample/sample-config-files/client.conf
index 58b2038b..050ef600 100644
--- a/app/openvpn/sample/sample-config-files/client.conf
+++ b/app/openvpn/sample/sample-config-files/client.conf
@@ -89,18 +89,19 @@ ca ca.crt
cert client.crt
key client.key
-# Verify server certificate by checking
-# that the certicate has the nsCertType
-# field set to "server". This is an
-# important precaution to protect against
+# Verify server certificate by checking that the
+# certicate has the correct key usage set.
+# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
-# your server certificates with the nsCertType
-# field set to "server". The build-key-server
-# script in the easy-rsa folder will do this.
-ns-cert-type server
+# your server certificates with the keyUsage set to
+# digitalSignature, keyEncipherment
+# and the extendedKeyUsage to
+# serverAuth
+# EasyRSA can do this for you.
+remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.