Lỗi use remote cert tls instead trong vpn
You can no longer post new replies to this discussion. If you have a question you can start a new discussion hi, very confused about this in 9.501 Fix [NUTM-6504]: [Access & Identity] OpenVPN 2.4.0 deprecated option "tls-remote" Fix [NUTM-7448]: [Access & Identity] SSLVPN: download of configuration for windows should use tls-remote option The config file you then download has tls-remote however this does NOT work at all with the latest openvpn client (errors out) where you need to replace tls-remote (as its deprecated since long) with "verify-x509-name" thus rendering the download option for clients in userportal useless. What got fixed now ? tls-remote got finally deprecated in utm and properly replaced but then overridden by nutm-7448 ? Anyway since very long that option no longer works with openvpn client. Or is there a fix (workaround:) ) so i can have users have a proper config file that works to download in userportal ? You have If you just want a quick and dirty way to get rid of the error, just change your client config file to not use ns-cert-type, and use the remote-cert-tls server entry. So edit your clients config ns-cert-type serverremote-cert-tls server You then should get this when you connect Fri Apr 28 11:16:26 2017 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=openvpn Fri Apr 28 11:16:26 2017 VERIFY KU OK Fri Apr 28 11:16:26 2017 Validating certificate extended key usage Fri Apr 28 11:16:26 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Fri Apr 28 11:16:26 2017 VERIFY EKU OK Fri Apr 28 11:16:26 2017 VERIFY X509NAME OK: C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=pfsenseopenvpn Fri Apr 28 11:16:26 2017 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=pfsenseopenvpn Fri Apr 28 11:16:27 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA This is what I did, I don't like errors in such in my connection logs either ;) hehehe But as already mentioned its not really an issue.. But if your giving config files to lots of users, etc. Then might be a hassle to either edit the configs before giving to them or having them do it.. Sure they will fix it up soon enough. thanks a lot. It clarifies the first aspect of the issue.I had a close look to the easy-rsa scripts, and I am now able to add keyUsage and extendedKeyUsage information. Now, the final step is to know what to include to match the "remote-cert-tls server" on the client side and "remote-cert-tls client" on the server side. Do you know which settings I should use for keyUsage and extendedKeyUsage to match the remote-cert-tls settings ? Thank you ! _________________________________________________________________ Téléphonez gratuitement à tous vos proches avec Windows Live Messenger ! Téléchargez-le maintenant ! http://www.windowslive.fr/messenger/1.asp You can look at easy-rsa-2.0 openssl.cnf file. " Sure, here's what's wrong: the easy RSA scripts do not produce certs that can be used with the 'remote-cert-tls' features. The reason is that they do not specify the 'key usage' or 'extended key usage' attributes. " Hi Dave, thanks a lot. It clarifies the first aspect of the issue. I had a close look to the easy-rsa scripts, and I am now able to add keyUsage and extendedKeyUsage information. Now, the final step is to know what to include to match the "remote-cert-tls server" on the client side and "remote-cert-tls client" on the server side. Do you know which settings I should use for keyUsage and extendedKeyUsage to match the remote-cert-tls settings ? Thank you ! ________________________________ Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile ! --------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Openvpn-users mailing list https://lists.sourceforge.net/lists/listinf I don't personally use easyRSA anymore, so I can't say what you would do to change it, but I would suspect it's in the configuration file created by init-config where you would have to modify. I believe that the easy-rsa-2.0 was updated to issue certificates correctly. Alon. Hi, thanks to the support of Alon and Dave, it's working now. easy-rsa2.0 is not provided with the standard download of OpenVPN. I had to look into the source code to find which settings to put to the keyUsage and extendedKeyUsage. I modified the easy-rsa (the one provided in the download package) in such a way: Modify openssl.cnf.sample-> add in [usr_cert]extendedKeyUsage=clientAuthkeyUsage = digitalSignature-> add in [server]extendedKeyUsage=serverAuthkeyUsage = digitalSignature, keyEncipherment then used the standard procedure to generate the server and clients keys. A modification of the How-To of the OpenVPN pages, showing these modifications, would help non-experts like me to properly configure these certificates. I hope this post will help more people as there is a solution posted now. Thanks again ! _________________________________________________________________ Téléphonez gratuitement à tous vos proches avec Windows Live Messenger ! Téléchargez-le maintenant ! http://www.windowslive.fr/messenger/1.asp I just tried to update the windows build for new openssl with this. But I see that the install script takes the openssl.cnf from easy-rsa-2.0 which already contain these variables. Are you sure you had to add this to openvpn instaled using the latest installer? Hi, thanks to the support of Alon and Dave, it's working now. easy-rsa2.0 is not provided with the standard download of OpenVPN. I had to look into the source code to find which settings to put to the keyUsage and extendedKeyUsage. I modified the easy-rsa (the one provided in the download Modify openssl.cnf.sample -> add in [usr_cert] extendedKeyUsage=clientAuth keyUsage = digitalSignature -> add in [server] extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment then used the standard procedure to generate the server and clients keys. A modification of the How-To of the OpenVPN pages, showing these modifications, would help non-experts like me to properly configure these certificates. I hope this post will help more people as there is a solution posted now. Thanks again ! Date: Thu, 25 Sep 2008 21:24:11 +0300 Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work I don't personally use easyRSA anymore, so I can't say what you would do to change it, but I would suspect it's in the configuration file created by init-config where you would have to modify. I believe that the easy-rsa-2.0 was updated to issue certificates correctly. Alon. --------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Openvpn-users mailing list https://lists.sourceforge.net/lists/listinfo/openvpn-users ________________________________ Discutez sur Messenger où que vous soye Hi Alon, I downloaded OpenVPN 2.1_rc12 Windows Installer executable. I do not see anything with rsa2.0 in the install dir. _________________________________________________________________ Téléphonez gratuitement à tous vos proches avec Windows Live Messenger ! Téléchargez-le maintenant ! http://www.windowslive.fr/messenger/1.asp Look at the openssl.cnf.sample it should already contain the values you added. Hi Alon, I downloaded OpenVPN 2.1_rc12 Windows Installer executable. I do not see anything with rsa2.0 in the install dir. Date: Tue, 7 Oct 2008 23:43:15 +0300 Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work I just tried to update the windows build for new openssl with this. But I see that the install script takes the openssl.cnf from easy-rsa-2.0 which already contain these variables. Are you sure you had to add this to openvpn instaled using the latest installer? Hi, thanks to the support of Alon and Dave, it's working now. easy-rsa2.0 is not provided with the standard download of OpenVPN. I had to look into the source code to find which settings to put to the keyUsage and extendedKeyUsage. I modified the easy-rsa (the one provided in the download Modify openssl.cnf.sample -> add in [usr_cert] extendedKeyUsage=clientAuth keyUsage = digitalSignature -> add in [server] extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment then used the standard procedure to generate the server and clients keys. A modification of the How-To of the OpenVPN pages, showing these modifications, would help non-experts like me to properly configure these certificates. I hope this post will help more people as there is a solution posted now. Thanks again ! Date: Thu, 25 Sep 2008 21:24:11 +0300 Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work I don't personally use easyRSA anymore, so I can't say what you would do to change it, but I would suspect it's in the configuration file created by init-config where you would have to modify. I believe that the easy-rsa-2.0 was updated to issue certificates correctly. Alon. --------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Openvpn-users mailing list https://lists.sourceforge.net/lists/listinfo/openvpn-users ________________________________ Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile ________________________________ Discutez sur Messenger où que vous soyez ! Mettez Messenger sur Hi Alon, I had a look, and the openssl.sample contains "something" indeed, but must not be the good settings as it did not work by default. in [user_cert] (called by default) # keyUsage = nonRepudiation, digitalSignature, keyEncipherment this is commented, so remote-cert-tls client will not work [v3_req] (not used from what I see) keyUsage = nonRepudiation, digitalSignature, keyEncipherment and they are quite different that what is needed for remote-cert-tls (at least from what I found in easy_rsa2.0) So what I did, looking in easy_rsa2.0: in [user_cert] (called by default) extendedKeyUsage=clientAuthkeyUsage = digitalSignature in [server] (called when signing the server certificate) extendedKeyUsage=serverAuthkeyUsage = digitalSignature, keyEncipherment That way remote-cert-tls server and remote-cert-tls client are working, which was not the case with the default openssl.sample settings. Anyway, it's working now. If others can make it working with the default settings, good for them, else there is a solution posted here. |