From d02a647cda48441ab0f6f1c5d00d5b3fdb74b691 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Tue, 25 Nov 2014 23:19:29 +0100
Subject: Update OpenVPN to -master

--HG--
extra : rebase_source : cc844ae1a812fce0244f7e381fcee8c2db7e8bc2
---
 main/openvpn/sample/sample-config-files/client.conf | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

(limited to 'main/openvpn/sample/sample-config-files/client.conf')

diff --git a/main/openvpn/sample/sample-config-files/client.conf b/main/openvpn/sample/sample-config-files/client.conf
index 58b2038b..050ef600 100644
--- a/main/openvpn/sample/sample-config-files/client.conf
+++ b/main/openvpn/sample/sample-config-files/client.conf
@@ -89,18 +89,19 @@ ca ca.crt
 cert client.crt
 key client.key
 
-# Verify server certificate by checking
-# that the certicate has the nsCertType
-# field set to "server".  This is an
-# important precaution to protect against
+# Verify server certificate by checking that the
+# certicate has the correct key usage set.
+# This is an important precaution to protect against
 # a potential attack discussed here:
 #  http://openvpn.net/howto.html#mitm
 #
 # To use this feature, you will need to generate
-# your server certificates with the nsCertType
-# field set to "server".  The build-key-server
-# script in the easy-rsa folder will do this.
-ns-cert-type server
+# your server certificates with the keyUsage set to
+#   digitalSignature, keyEncipherment
+# and the extendedKeyUsage to
+#   serverAuth
+# EasyRSA can do this for you.
+remote-cert-tls server
 
 # If a tls-auth key is used on the server
 # then every client must also have the key.
-- 
cgit v1.2.3