diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2015-06-30 08:22:29 +0200 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2015-06-30 08:22:29 +0200 |
commit | 6149d88c5a2c58a9cc943ca02c36e8ee4e5d1751 (patch) | |
tree | 0fdc36dba5e216faf7ade9d7b327090b4a20bd2b /sample/sample-config-files/client.conf | |
parent | 63862ed15e1abb4b29c5a43b469321c928613c62 (diff) |
Imported Upstream version 2.3.7upstream/2.3.7
Diffstat (limited to 'sample/sample-config-files/client.conf')
-rw-r--r-- | sample/sample-config-files/client.conf | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 58b2038..050ef60 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -89,18 +89,19 @@ ca ca.crt cert client.crt key client.key -# Verify server certificate by checking -# that the certicate has the nsCertType -# field set to "server". This is an -# important precaution to protect against +# Verify server certificate by checking that the +# certicate has the correct key usage set. +# This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate -# your server certificates with the nsCertType -# field set to "server". The build-key-server -# script in the easy-rsa folder will do this. -ns-cert-type server +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. +remote-cert-tls server # If a tls-auth key is used on the server # then every client must also have the key. |