Hi all,
When we use only auth-user-pass-verify to authenticate connections and client config doesn't have any certs expect a <ca> and <tls-auth> section, are the options such as: remote-cert-tls server & tls-remote still needed?
From my understanding, as the client doesn't have any common CA signed certificate & key of his own, he has no way to impersonate as the server? Please correct me if I am wrong.
Thanks.
Can we skip those (anti-)MITM options when only user/pass based auth is being done?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Sun Mar 19, 2017 7:00 am
-
- OpenVpn Newbie
- Posts: 7
- Joined: Sun Mar 19, 2017 7:00 am
Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?
Any one ?? Please suggest.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?
Suggest: Most people prefer more security than less ..akbsol wrote:Please suggest
MITM attacks are carried out by a Man-In-The-Middle .. not your client or server.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Sun Mar 19, 2017 7:00 am
Re: Can we skip those (anti-)MITM options when only user/pass based auth is being done?
Thanks for replying. The suggestion sought by me though wasn't about what most people prefer
I simply wanted to know the theoretical possibility of MitM as outlined here:
https://openvpn.net/index.php/open-sour ... .html#mitm
when client configs don't have any certificate except <ca> and authentication is simply based on username-password. The page above lists methodologies to adopt:
"To avoid a possible Man-in-the-Middle attack where an authorized client tries to connect to another client by impersonating the server, make sure to enforce some kind of server certificate verification by clients."
But when no client has any certificate & key of his own, can he still impersonate?
I simply wanted to know the theoretical possibility of MitM as outlined here:
https://openvpn.net/index.php/open-sour ... .html#mitm
when client configs don't have any certificate except <ca> and authentication is simply based on username-password. The page above lists methodologies to adopt:
"To avoid a possible Man-in-the-Middle attack where an authorized client tries to connect to another client by impersonating the server, make sure to enforce some kind of server certificate verification by clients."
But when no client has any certificate & key of his own, can he still impersonate?