You can no longer post new replies to this discussion. If you have a question you can start a new discussion

hi,

very confused about this in 9.501

Fix [NUTM-6504]: [Access & Identity] OpenVPN 2.4.0 deprecated option "tls-remote"

Fix [NUTM-7448]: [Access & Identity] SSLVPN: download of configuration for windows should use tls-remote option

The config file you then download has tls-remote however this does NOT work at all with the latest openvpn client (errors out) where you need to replace tls-remote (as its deprecated since long) with "verify-x509-name" thus rendering the download option for clients in userportal useless.

What got fixed now ? tls-remote got finally deprecated in utm and properly replaced but then overridden by nutm-7448 ?

Anyway since very long that option no longer works with openvpn client.

Or is there a fix (workaround:) ) so i can have users have a proper config file that works to download in userportal ?

You have tls-version-min 1.2 in your configuration file, so you are using TLS. It appears that your logging tools is simply referring to SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 all as simply "SSL". This is technically incorrect, but it's very common. You don't have to worry about SSL-specific vulnreabilities in your application just because the protocol itself has been labeled as SSL.

If you just want a quick and dirty way to get rid of the error, just change your client config file to not use ns-cert-type, and use the remote-cert-tls server entry.

So edit your clients config

ns-cert-type server

remote-cert-tls server

You then should get this when you connect

Fri Apr 28 11:16:26 2017 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=openvpn Fri Apr 28 11:16:26 2017 VERIFY KU OK Fri Apr 28 11:16:26 2017 Validating certificate extended key usage Fri Apr 28 11:16:26 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Fri Apr 28 11:16:26 2017 VERIFY EKU OK Fri Apr 28 11:16:26 2017 VERIFY X509NAME OK: C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=pfsenseopenvpn Fri Apr 28 11:16:26 2017 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=pfsenseopenvpn Fri Apr 28 11:16:27 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

This is what I did, I don't like errors in such in my connection logs either ;) hehehe

But as already mentioned its not really an issue.. But if your giving config files to lots of users, etc. Then might be a hassle to either edit the configs before giving to them or having them do it.. Sure they will fix it up soon enough.

thanks a lot. It clarifies the first aspect of the issue.I had a close look to the easy-rsa scripts, and I am now able to add keyUsage and extendedKeyUsage information.

Now, the final step is to know what to include to match the "remote-cert-tls server" on the client side and "remote-cert-tls client" on the server side. Do you know which settings I should use for keyUsage and extendedKeyUsage to match the remote-cert-tls settings ?

Thank you ! _________________________________________________________________ Téléphonez gratuitement à tous vos proches avec Windows Live Messenger ! Téléchargez-le maintenant ! http://www.windowslive.fr/messenger/1.asp

You can look at easy-rsa-2.0 openssl.cnf file.

" Sure, here's what's wrong: the easy RSA scripts do not produce certs that can be used with the 'remote-cert-tls' features. The reason is that they do not specify the 'key usage' or 'extended key usage' attributes. " Hi Dave, thanks a lot. It clarifies the first aspect of the issue. I had a close look to the easy-rsa scripts, and I am now able to add keyUsage and extendedKeyUsage information. Now, the final step is to know what to include to match the "remote-cert-tls server" on the client side and "remote-cert-tls client" on the server side. Do you know which settings I should use for keyUsage and extendedKeyUsage to match the remote-cert-tls settings ? Thank you ! ________________________________ Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile ! --------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Openvpn-users mailing list https://lists.sourceforge.net/lists/listinf

I don't personally use easyRSA anymore, so I can't say what you would do to change it, but I would suspect it's in the configuration file created by init-config where you would have to modify.

I believe that the easy-rsa-2.0 was updated to issue certificates correctly.

Alon.

Hi,

thanks to the support of Alon and Dave, it's working now.

easy-rsa2.0 is not provided with the standard download of OpenVPN. I had to look into the source code to find which settings to put to the keyUsage and extendedKeyUsage. I modified the easy-rsa (the one provided in the download package) in such a way:

Modify openssl.cnf.sample-> add in [usr_cert]extendedKeyUsage=clientAuthkeyUsage = digitalSignature-> add in [server]extendedKeyUsage=serverAuthkeyUsage = digitalSignature, keyEncipherment then used the standard procedure to generate the server and clients keys.

A modification of the How-To of the OpenVPN pages, showing these modifications, would help non-experts like me to properly configure these certificates. I hope this post will help more people as there is a solution posted now.

Thanks again ! _________________________________________________________________ Téléphonez gratuitement à tous vos proches avec Windows Live Messenger ! Téléchargez-le maintenant ! http://www.windowslive.fr/messenger/1.asp

I just tried to update the windows build for new openssl with this. But I see that the install script takes the openssl.cnf from easy-rsa-2.0 which already contain these variables. Are you sure you had to add this to openvpn instaled using the latest installer?

Hi, thanks to the support of Alon and Dave, it's working now. easy-rsa2.0 is not provided with the standard download of OpenVPN. I had to look into the source code to find which settings to put to the keyUsage and extendedKeyUsage. I modified the easy-rsa (the one provided in the download Modify openssl.cnf.sample -> add in [usr_cert] extendedKeyUsage=clientAuth keyUsage = digitalSignature -> add in [server] extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment then used the standard procedure to generate the server and clients keys. A modification of the How-To of the OpenVPN pages, showing these modifications, would help non-experts like me to properly configure these certificates. I hope this post will help more people as there is a solution posted now. Thanks again !

Date: Thu, 25 Sep 2008 21:24:11 +0300 Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work

I don't personally use easyRSA anymore, so I can't say what you would do

to

change it, but I would suspect it's in the configuration file created by init-config where you would have to modify.

I believe that the easy-rsa-2.0 was updated to issue certificates

correctly.

Alon.

---------

This SF.Net email is sponsored by the Moblin Your Move Developer's

challenge

Build the coolest Linux based applications with Moblin SDK & win great

prizes

Grand prize is a trip for two to an Open Source event anywhere in the

world http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________ Openvpn-users mailing list

https://lists.sourceforge.net/lists/listinfo/openvpn-users ________________________________ Discutez sur Messenger où que vous soye

Hi Alon,

I downloaded OpenVPN 2.1_rc12 Windows Installer executable. I do not see anything with rsa2.0 in the install dir. _________________________________________________________________ Téléphonez gratuitement à tous vos proches avec Windows Live Messenger ! Téléchargez-le maintenant ! http://www.windowslive.fr/messenger/1.asp

Look at the openssl.cnf.sample it should already contain the values you added.

Hi Alon, I downloaded OpenVPN 2.1_rc12 Windows Installer executable. I do not see anything with rsa2.0 in the install dir.

Date: Tue, 7 Oct 2008 23:43:15 +0300 Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work I just tried to update the windows build for new openssl with this. But I see that the install script takes the openssl.cnf from easy-rsa-2.0 which already contain these variables. Are you sure you had to add this to openvpn instaled using the latest

installer?

Hi, thanks to the support of Alon and Dave, it's working now. easy-rsa2.0 is not provided with the standard download of OpenVPN. I had

to

look into the source code to find which settings to put to the keyUsage

and

extendedKeyUsage. I modified the easy-rsa (the one provided in the

download

Modify openssl.cnf.sample -> add in [usr_cert] extendedKeyUsage=clientAuth keyUsage = digitalSignature -> add in [server] extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment then used the standard procedure to generate the server and clients

keys.

A modification of the How-To of the OpenVPN pages, showing these modifications, would help non-experts like me to properly configure

these

certificates. I hope this post will help more people as there is a

solution

posted now. Thanks again !

Date: Thu, 25 Sep 2008 21:24:11 +0300 Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work

I don't personally use easyRSA anymore, so I can't say what you

would do

to

change it, but I would suspect it's in the configuration file

created by

init-config where you would have to modify.

I believe that the easy-rsa-2.0 was updated to issue certificates

correctly.

Alon.

---------

This SF.Net email is sponsored by the Moblin Your Move Developer's

challenge

Build the coolest Linux based applications with Moblin SDK & win great

prizes

Grand prize is a trip for two to an Open Source event anywhere in the

world

http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________ Openvpn-users mailing list

https://lists.sourceforge.net/lists/listinfo/openvpn-users

________________________________ Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre

mobile

________________________________ Discutez sur Messenger où que vous soyez ! Mettez Messenger sur

Hi Alon,

I had a look, and the openssl.sample contains "something" indeed, but must not be the good settings as it did not work by default.

in [user_cert] (called by default) # keyUsage = nonRepudiation, digitalSignature, keyEncipherment this is commented, so remote-cert-tls client will not work

[v3_req] (not used from what I see) keyUsage = nonRepudiation, digitalSignature, keyEncipherment

and they are quite different that what is needed for remote-cert-tls (at least from what I found in easy_rsa2.0)

So what I did, looking in easy_rsa2.0: in [user_cert] (called by default) extendedKeyUsage=clientAuthkeyUsage = digitalSignature in [server] (called when signing the server certificate) extendedKeyUsage=serverAuthkeyUsage = digitalSignature, keyEncipherment That way remote-cert-tls server and remote-cert-tls client are working, which was not the case with the default openssl.sample settings.

Anyway, it's working now. If others can make it working with the default settings, good for them, else there is a solution posted here.