how to create certificates for "--remote-cert-tls"

[proctor]

hello,

i am unclear how to create the certificates for use with the remote-cert-tls

To avoid a possible Man-in-the-Middle attack where an authorized client tries to connect to another client by impersonating the server, make sure to enforce some kind of server certificate verification by clients. There are currently five different ways of accomplishing this, listed in the order of preference:

[OpenVPN 2.1 and above] Build your server certificates with specific key usage and extended key usage. The RFC3280 determine that the following attributes should be provided for TLS connections:


Mode Key usage Extended key usage

Client
digitalSignature TLS Web Client Authentication
keyAgreement
digitalSignature, keyAgreement

Server
digitalSignature, keyEncipherment TLS Web Server Authentication
digitalSignature, keyAgreement

You can build your server certificates with the build-key-server script (see the easy-rsa documentation for more info). This will designate the certificate as a server-only certificate by setting the right attributes. Now add the following line to your client configuration:

remote-cert-tls server

(http://openvpn.net/index.php/open-sourc ... l#examples)

and the manual says:

--remote-cert-tls client|server
Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.
This is a useful security option for clients, to ensure that the host they connect to is a designated server.

The --remote-cert-tls client option is equivalent to --remote-cert-ku 80 08 88 --remote-cert-eku "TLS Web Client Authentication"

The key usage is digitalSignature and/or keyAgreement.

The --remote-cert-tls server option is equivalent to --remote-cert-ku a0 88 --remote-cert-eku "TLS Web Server Authentication"

The key usage is digitalSignature and ( keyEncipherment or keyAgreement ).

This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --remote-cert-tls, --tls-remote, or --tls-verify.

(http://openvpn.net/index.php/open-sourc ... pn-21.html)

this looks to me like the server certificate should have 2 "key usage" directives plus an extended directive of "TLS Web Server Authentication"

and the client certificate should have 3 "key usage" directives plus an extended directive of "TLS Web Client Authentication"

can someone please explain exactly which "key usage" directives go into the respective certificates to make this work?

sincerely,
proctor

[gladiatr72]

Server certificate extensions looks something like this:

Code: Select all

  X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                Easy-RSA Generated Server Certificate
            X509v3 Subject Key Identifier: 
                73:F5:57:1A:C0:C7:2A:6C:3F:2C:C6:F0:E9:47:D1:47:0C:A9:D0:09
            X509v3 Authority Key Identifier: 
                keyid:wh:ee:ee:ee:ee
                DirName:/C=US/ST=blahblahblah
                serial:02

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication

Non-server/client certificates:

Code: Select all

        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                0A:8A:BE:FF:3D:55:5D:BF:12:F4:9A:69:CA:F9:D6:4D:4F:3A:0E:39
            X509v3 Authority Key Identifier: 
                keyid:A9:F5:4D:34:ED:CC:70:38:88:B4:7D:4A:1B:00:C9:F1:F6:3A:E3:1E
                DirName:/C=US/ST=blahblahblah
                serial:01

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication

The Simple Solution: use the easy-rsa scripts. They Do the Right Thing. Otherwise, you'll need to cajole your existing scripts/gui/whatever to add the proper extensions.

-Stephen

[proctor]

hi gladiatr72,

thanks for your reply. i need to clarify one thing:

in the documentation, for the client, it states under "key usage":

digitalSignature
keyAgreement
digitalSignature, keyAgreement

and under "extended key usage":

TLS Web Client Authentication

(http://openvpn.net/index.php/open-sourc ... l#secnotes)

in the manual i assume the directive "--remote-cert-ku 80 08 88" refers to "key usage" and the directive "--remote-cert-eku "TLS Web Client Authentication"" refers to "extended key usage."

The --remote-cert-tls client option is equivalent to --remote-cert-ku 80 08 88 --remote-cert-eku "TLS Web Client Authentication"

i understand that the directive "--remote-cert-ku" must be given in a "bit mask" format (the "80 08 88"), while the directive "--remote-cert-eku" is stated as a string (the "TLS Web Client Authentication")

however in your example i don't see evidence of the "key usage" parameters
("digitalSignature
keyAgreement
digitalSignature, keyAgreement"

or

"80 08 88"

or their equvalent)

have you omitted them or are you quite sure they are unneeded? i am under the impression that this must be set EXACTLY right or it will fail. whenever i have used these directives the link has failed.

are you certain that the examples you gave will function properly?

thank you again for your time.

proctor

[krzee]

i asked JJK to expand on this a little...

just use the 'easy-rsa' scripts provided with OpenVPN 2.1 - the certificates that come out of it already pass the
remote-cert-tls client
remote-cert-tls server
tests:

Thu Jan 13 16:51:07 2011 us=343000 Validating certificate key usage
Thu Jan 13 16:51:07 2011 us=343000 ++ Certificate has key usage 00a0,
expects 00a0
Thu Jan 13 16:51:07 2011 us=343000 VERIFY KU OK
Thu Jan 13 16:51:07 2011 us=343000 Validating certificate extended key
usage
Thu Jan 13 16:51:07 2011 us=343000 ++ Certificate has EKU (str) TLS Web
Server Authentication, expects TLS Web Server Authentication
Thu Jan 13 16:51:07 2011 us=343000 VERIFY EKU OK
Thu Jan 13 16:51:07 2011 us=343000 VERIFY OK: depth=0,
/C=NL/O=Cookbook/CN=openvpnserver/emailAddress=janjust@nikhef.nl


'remote-cert-tls server' means that the certificate has "TLS Web Server
Auth" as an extended property. 'remote-cert-tls client' wants to see
"TLS Web Client Auth". These settings - like 'ns-cert-type server' - are
configured in the (easy-rsa) openssl.cnf file:

[ usr_cert ]
extendedKeyUsage=clientAuth
keyUsage = digitalSignature

[ server ]
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment



cheers,

JJK

[proctor]

from what i understand from my reading and testing is that in order for the directive "--remote-cert-tls" to work, in the certificates the:

client certificate "key usage" must have EITHER "digitalSignature" AND/OR "keyAgreement"
AND
"extended key usage" of "TLS Web Client Authentication"



the server certificate "key usage" must have "digitalSignature" AND EITHER ( "keyEncipherment" OR "keyAgreement" )
AND
"extended key usage" of "TLS Web Server Authentication"

using these guidelines i am able to successfully create the correct certificate types for client/server verification. i use XCA as my creation tool, and not easy-rsa.