Changes between Version 8 and Version 9 of Openvpn24ManPage
- Timestamp:
- 03/22/17 14:25:45 (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Openvpn24ManPage
v8 v9 342 342 persist-tun 343 343 pkcs12 client.p12 344 ns-cert-typeserver344 remote-cert-tls server 345 345 verb 3 346 346 </B></PRE> … … 3340 3340 process. 3341 3341 <P> 3342 The 3343 <B>module-pathname</B> 3344 3345 argument can be just a filename or a filename with a relative 3346 or absolute path. The format of the filename and path defines 3347 if the plug-in will be loaded from a default plug-in directory 3348 or outside this directory. 3349 <P> 3350 <PRE> 3351 <B>--plugin path Effective directory used</B> 3352 ==================================================== 3353 myplug.so DEFAULT_DIR/myplug.so 3354 subdir/myplug.so DEFAULT_DIR/subdir/myplug.so 3355 ./subdir/myplug.so CWD/subdir/myplug.so 3356 /usr/lib/my/plug.so /usr/lib/my/plug.so 3357 </PRE> 3358 3359 <P> 3360 DEFAULT_DIR is replaced by the default plug-in directory, 3361 which is configured at the build time of OpenVPN. CWD is the 3362 current directory where OpenVPN was started or the directory 3363 OpenVPN have swithed into via the 3364 3365 option before the 3366 3367 option. 3368 <P> 3342 3369 For more information and examples on how to build OpenVPN 3343 3370 plug-in modules, see the README file in the … … 4839 4866 description of the OpenVPN challenge/response protocol. 4840 4867 4841 <DT><B>--server-poll-timeout n</B> 4842 4843 <DD> 4844 <B>--connect-timeout n</B> 4845 4846 when connecting to a remote server do not wait for more than 4868 <DT><B>--server-poll-timeout n</B>, <B>--connect-timeout n</B><DD> 4869 When connecting to a remote server do not wait for more than 4847 4870 <B>n</B> 4848 4871 … … 6473 6496 options can be defined to track multiple attributes. 6474 6497 6475 <DT><B>--ns-cert-type client|server</B> 6476 6477 <DD> 6498 <DT><B>--ns-cert-type client|server (DEPRECATED)</B> 6499 6500 <DD> 6501 This option is deprecated. Use the more modern equivalent 6502 <B>--remote-cert-tls</B> 6503 6504 instead. This option will be removed in OpenVPN 2.5. 6505 <P> 6478 6506 Require that peer certificate was signed with an explicit 6479 6507 <B>nsCertType</B> … … 6506 6534 6507 6535 6508 <DT><B>--remote-cert-ku v...</B>6536 <DT><B>--remote-cert-ku [v...]</B> 6509 6537 6510 6538 <DD> … … 6513 6541 6514 6542 <P> 6543 If present in the certificate, the keyUsage value is validated by the TLS 6544 library during the TLS handshake. Specifying this option without arguments 6545 requires this extension to be present (so the TLS library will verify it). 6546 <P> 6547 If the list 6548 <B>v...</B> 6549 6550 is also supplied, the keyUsage field must have 6551 <B>at least</B> 6552 6553 the same bits set as the bits in 6554 <B>one of</B> 6555 6556 the values supplied in the list 6557 <B>v...</B> 6558 6559 <P> 6560 The key usage values in the list must be encoded in hex, e.g. 6561 "--remote-cert-ku a0" 6562 6563 <DT><B>--remote-cert-eku oid</B> 6564 6565 <DD> 6566 Require that peer certificate was signed with an explicit 6567 <B>extended key usage.</B> 6568 6569 <P> 6515 6570 This is a useful security option for clients, to ensure that 6516 6571 the host they connect to is a designated server. 6517 6572 <P> 6518 The key usage should be encoded in hex, more than one key6519 usage can be specified.6520 6521 <DT><B>--remote-cert-eku oid</B>6522 6523 <DD>6524 Require that peer certificate was signed with an explicit6525 <B>extended key usage.</B>6526 6527 <P>6528 This is a useful security option for clients, to ensure that6529 the host they connect to is a designated server.6530 <P>6531 6573 The extended key usage should be encoded in oid notation, or 6532 6574 OpenSSL symbolic representation. … … 6543 6585 based on RFC3280 TLS rules. 6544 6586 <P> 6545 This is a useful security option for clients, to ensure that 6546 the host they connect to is a designated server. 6587 This is a useful security option for clients, to ensure that the host they 6588 connect to is a designated server. Or the other way around; for a server to 6589 verify that only hosts with a client certificate can connect. 6547 6590 <P> 6548 6591 The … … 6550 6593 6551 6594 option is equivalent to 6552 <B>--remote-cert-ku 80 08 88 --remote-cert-eku "TLS Web Client Authentication"</B> 6553 6554 <P> 6555 The key usage is digitalSignature and/or keyAgreement. 6595 <B>--remote-cert-ku --remote-cert-eku "TLS Web Client Authentication"</B> 6596 6556 6597 <P> 6557 6598 The … … 6559 6600 6560 6601 option is equivalent to 6561 <B>--remote-cert-ku a0 88 --remote-cert-eku "TLS Web Server Authentication"</B> 6562 6563 <P> 6564 The key usage is digitalSignature and ( keyEncipherment or keyAgreement ). 6602 <B>--remote-cert-ku --remote-cert-eku "TLS Web Server Authentication"</B> 6603 6565 6604 <P> 6566 6605 This is an important security precaution to protect against … … 7104 7143 <DD> 7105 7144 Ask Windows to release the TAP adapter lease on shutdown. 7106 This option has the same caveats as 7107 <B>--dhcp-renew</B> 7108 7109 above. 7145 This option has no effect now, as it is enabled by default starting with version 2.4.1. 7110 7146 7111 7147 <DT><B>--register-dns</B> … … 8970 9006 <A HREF="/cgi-bin/man/man2html">man2html</A>, 8971 9007 using the manual pages.<BR> 8972 Time: 1 2:41:06 GMT, December 27, 20169008 Time: 14:20:48 GMT, March 22, 2017 8973 9009 }}}