To make matters worse, it turns out that some OpenVPN implementations (e.g. the one in GNOME NetworkManager) strip out the deprecated option when importing a config file, effectively removing the MITM protection from the .ovpn files currently generated by Sonic's server.
I've reviewed this with their support again. The AS server uses the old deprecated Netscape Cert Types, and you'll note that the client certificate has this flag set in the X509v3 extensions:
Code: Select all
$ openssl x509 -in /tmp/c -text
X509v3 Basic Constraints:
Netscape Cert Type:
When combined with the "ns-cert-type server" directive, this provides protection from MitM attacks. If does not make sense for the NetworkManager to strip out any options, particularly this one. This is a security bug and should be taken to the vendor. As noted by their wiki "Important note: some OpenVPN configs rely on the deprecated "Netscape" cert attribute called nsCertType."
I can't comment with the AS server uses these older options instead of the newer ones you've mentioned.