diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2015-06-30 08:22:29 +0200 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2015-06-30 08:22:29 +0200 |
commit | db0b5876a982e93446fcc2df42c16d3e2b62dcfb (patch) | |
tree | 54d0f7166375db006940c9ee80159ccc501db518 /sample/sample-config-files | |
parent | a89c50f051faf00e5370e6073b920940b2bc68bf (diff) | |
parent | 6149d88c5a2c58a9cc943ca02c36e8ee4e5d1751 (diff) |
Merge tag 'upstream/2.3.7'
Upstream version 2.3.7
Diffstat (limited to 'sample/sample-config-files')
-rw-r--r-- | sample/sample-config-files/client.conf | 17 | ||||
-rw-r--r-- | sample/sample-config-files/loopback-client | 2 | ||||
-rw-r--r-- | sample/sample-config-files/loopback-server | 3 | ||||
-rw-r--r-- | sample/sample-config-files/server.conf | 6 | ||||
-rw-r--r-- | sample/sample-config-files/tls-office.conf | 2 |
5 files changed, 14 insertions, 16 deletions
diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 58b2038..050ef60 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -89,18 +89,19 @@ ca ca.crt cert client.crt key client.key -# Verify server certificate by checking -# that the certicate has the nsCertType -# field set to "server". This is an -# important precaution to protect against +# Verify server certificate by checking that the +# certicate has the correct key usage set. +# This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate -# your server certificates with the nsCertType -# field set to "server". The build-key-server -# script in the easy-rsa folder will do this. -ns-cert-type server +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. +remote-cert-tls server # If a tls-auth key is used on the server # then every client must also have the key. diff --git a/sample/sample-config-files/loopback-client b/sample/sample-config-files/loopback-client index d7f59e6..ebbd1cf 100644 --- a/sample/sample-config-files/loopback-client +++ b/sample/sample-config-files/loopback-client @@ -17,9 +17,9 @@ dev null verb 3 reneg-sec 10 tls-client +remote-cert-tls server ca sample-keys/ca.crt key sample-keys/client.key cert sample-keys/client.crt -cipher DES-EDE3-CBC ping 1 inactive 120 10000000 diff --git a/sample/sample-config-files/loopback-server b/sample/sample-config-files/loopback-server index 9d21bce..8cb97be 100644 --- a/sample/sample-config-files/loopback-server +++ b/sample/sample-config-files/loopback-server @@ -17,10 +17,9 @@ dev null verb 3 reneg-sec 10 tls-server -dh sample-keys/dh1024.pem +dh sample-keys/dh2048.pem ca sample-keys/ca.crt key sample-keys/server.key cert sample-keys/server.crt -cipher DES-EDE3-CBC ping 1 inactive 120 10000000 diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index 467d5b8..701be3c 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -81,10 +81,8 @@ key server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -dh dh1024.pem +# openssl dhparam -out dh2048.pem 2048 +dh dh2048.pem # Network topology # Should be subnet (addressing via IP) diff --git a/sample/sample-config-files/tls-office.conf b/sample/sample-config-files/tls-office.conf index f790f46..d196144 100644 --- a/sample/sample-config-files/tls-office.conf +++ b/sample/sample-config-files/tls-office.conf @@ -26,7 +26,7 @@ up ./office.up tls-server # Diffie-Hellman Parameters (tls-server only) -dh dh1024.pem +dh dh2048.pem # Certificate Authority file ca my-ca.crt |