Imported Upstream version 2.3.7upstream/2.3.7

author: Alberto Gonzalez Iniesta <agi@inittab.org> 2015-06-30 08:22:29 +0200
committer: Alberto Gonzalez Iniesta <agi@inittab.org> 2015-06-30 08:22:29 +0200
commit: 6149d88c5a2c58a9cc943ca02c36e8ee4e5d1751 (patch)
tree: 0fdc36dba5e216faf7ade9d7b327090b4a20bd2b /sample/sample-config-files/client.conf
parent: 63862ed15e1abb4b29c5a43b469321c928613c62 (diff)
1 files changed, 9 insertions, 8 deletions
diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf
index 58b2038..050ef60 100644
--- a/sample/sample-config-files/client.conf
+++ b/sample/sample-config-files/client.conf
@@ -89,18 +89,19 @@ ca ca.crt
 cert client.crt
 key client.key
 
-# Verify server certificate by checking
-# that the certicate has the nsCertType
-# field set to "server".  This is an
-# important precaution to protect against
+# Verify server certificate by checking that the
+# certicate has the correct key usage set.
+# This is an important precaution to protect against
 # a potential attack discussed here:
 #  http://openvpn.net/howto.html#mitm
 #
 # To use this feature, you will need to generate
-# your server certificates with the nsCertType
-# field set to "server".  The build-key-server
-# script in the easy-rsa folder will do this.
-ns-cert-type server
+# your server certificates with the keyUsage set to
+#   digitalSignature, keyEncipherment
+# and the extendedKeyUsage to
+#   serverAuth
+# EasyRSA can do this for you.
+remote-cert-tls server
 
 # If a tls-auth key is used on the server
 # then every client must also have the key.
author	Alberto Gonzalez Iniesta <agi@inittab.org>	2015-06-30 08:22:29 +0200
committer	Alberto Gonzalez Iniesta <agi@inittab.org>	2015-06-30 08:22:29 +0200
commit	6149d88c5a2c58a9cc943ca02c36e8ee4e5d1751 (patch)
tree	0fdc36dba5e216faf7ade9d7b327090b4a20bd2b /sample/sample-config-files/client.conf
parent	63862ed15e1abb4b29c5a43b469321c928613c62 (diff)