Content #
When X.509 certificates are generated, special Extended Key Usage (EKU) attributes can be added to the certificate. This allows us to specify a purpose for the certificate, for example as a server-only certificate or a client-only certificate. Certificates used by secure websites make use of the same EKU attributes.
To check the EKU attributes of a certificate, use the following commands:
$ openssl x509 -text -noout -in server.crt | \
grep -C 1 “Key Usage”
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
This tells us that the server.crt certificate can be used only for server authentication.
Older certificates may not have these EKU attributes set, but instead use the (deprecated) Netscape Cert Type attribute.
$ openssl x509 -text -noout -in server.crt | \
grep -C 1 “Netscape Cert”
Netscape Cert Type:
SSL Server
However, this certificate can only be set for server-side certificates.
OpenVPN security can be increased by checking these attributes. For this, we use the option remote-cert-tls.
The option remote-cert-tls client instructs the OpenVPN server to only allow connections from VPN clients that have a certificate with the X.509 EKU attribute set to TLS Web Client Authentication.
This prevents a hacker from setting up a rogue OpenVPN server using a client certificate.
Similarly, for the client, the option remote-cert-tls server instructs the OpenVPN client to only allow connections to a VPN server that has a certificate with the X.509 EKU attribute set to TLS Web Server Authentication.
This prevents a malicious client from setting up a rogue OpenVPN server to attract connections from other VPN users.
It is also possible to check for the Netscape Cert Type attribute. As this is an attribute of the server certificate, the OpenVPN client needs to check this attribute when connecting. For this, the option ns-cert-type server can be used. Preferably, the option remote-cert-tls should be used.
From #
Mastering OpenVPN