From 6149d88c5a2c58a9cc943ca02c36e8ee4e5d1751 Mon Sep 17 00:00:00 2001
From: Alberto Gonzalez Iniesta <agi@inittab.org>
Date: Tue, 30 Jun 2015 08:22:29 +0200
Subject: Imported Upstream version 2.3.7

---
 sample/sample-config-files/client.conf     | 17 +++++++++--------
 sample/sample-config-files/loopback-client |  2 +-
 sample/sample-config-files/loopback-server |  3 +--
 sample/sample-config-files/server.conf     |  6 ++----
 sample/sample-config-files/tls-office.conf |  2 +-
 5 files changed, 14 insertions(+), 16 deletions(-)

(limited to 'sample/sample-config-files')

diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf
index 58b2038..050ef60 100644
--- a/sample/sample-config-files/client.conf
+++ b/sample/sample-config-files/client.conf
@@ -89,18 +89,19 @@ ca ca.crt
 cert client.crt
 key client.key
 
-# Verify server certificate by checking
-# that the certicate has the nsCertType
-# field set to "server".  This is an
-# important precaution to protect against
+# Verify server certificate by checking that the
+# certicate has the correct key usage set.
+# This is an important precaution to protect against
 # a potential attack discussed here:
 #  http://openvpn.net/howto.html#mitm
 #
 # To use this feature, you will need to generate
-# your server certificates with the nsCertType
-# field set to "server".  The build-key-server
-# script in the easy-rsa folder will do this.
-ns-cert-type server
+# your server certificates with the keyUsage set to
+#   digitalSignature, keyEncipherment
+# and the extendedKeyUsage to
+#   serverAuth
+# EasyRSA can do this for you.
+remote-cert-tls server
 
 # If a tls-auth key is used on the server
 # then every client must also have the key.
diff --git a/sample/sample-config-files/loopback-client b/sample/sample-config-files/loopback-client
index d7f59e6..ebbd1cf 100644
--- a/sample/sample-config-files/loopback-client
+++ b/sample/sample-config-files/loopback-client
@@ -17,9 +17,9 @@ dev null
 verb 3
 reneg-sec 10
 tls-client
+remote-cert-tls server
 ca sample-keys/ca.crt
 key sample-keys/client.key
 cert sample-keys/client.crt
-cipher DES-EDE3-CBC
 ping 1
 inactive 120 10000000
diff --git a/sample/sample-config-files/loopback-server b/sample/sample-config-files/loopback-server
index 9d21bce..8cb97be 100644
--- a/sample/sample-config-files/loopback-server
+++ b/sample/sample-config-files/loopback-server
@@ -17,10 +17,9 @@ dev null
 verb 3
 reneg-sec 10
 tls-server
-dh sample-keys/dh1024.pem
+dh sample-keys/dh2048.pem
 ca sample-keys/ca.crt
 key sample-keys/server.key
 cert sample-keys/server.crt
-cipher DES-EDE3-CBC
 ping 1
 inactive 120 10000000
diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf
index 467d5b8..701be3c 100644
--- a/sample/sample-config-files/server.conf
+++ b/sample/sample-config-files/server.conf
@@ -81,10 +81,8 @@ key server.key  # This file should be kept secret
 
 # Diffie hellman parameters.
 # Generate your own with:
-#   openssl dhparam -out dh1024.pem 1024
-# Substitute 2048 for 1024 if you are using
-# 2048 bit keys.
-dh dh1024.pem
+#   openssl dhparam -out dh2048.pem 2048
+dh dh2048.pem
 
 # Network topology
 # Should be subnet (addressing via IP)
diff --git a/sample/sample-config-files/tls-office.conf b/sample/sample-config-files/tls-office.conf
index f790f46..d196144 100644
--- a/sample/sample-config-files/tls-office.conf
+++ b/sample/sample-config-files/tls-office.conf
@@ -26,7 +26,7 @@ up ./office.up
 tls-server
 
 # Diffie-Hellman Parameters (tls-server only)
-dh dh1024.pem
+dh dh2048.pem
 
 # Certificate Authority file
 ca my-ca.crt
-- 
cgit v1.2.3