| Anonymous | Login | 2025-01-03 02:34 MST |
| Main | My View | View Issues | Change Log | Roadmap | Repositories |
| View Revisions: Issue #21401 | [ Back to Issue ] | ||
| Summary | 0021401: OpenVPN deprecated parameters | ||
| Revision | 2018-09-07 03:48 by NickH | ||
| Description | From our configs there are two deprecated parameters, comp-lzo and "ns-cert-type server". See https://community.openvpn.net/openvpn/wiki/DeprecatedOptions. [^] It is not known when comp-lzo will be removed and it can directly be replaced with "compress lzo" in both the client and server configs, but better would be to change the server configs to: compress lz4 push "compress lz4" and the client config to: compress. This appears to be backwards compatible with existing Windows, linux and Android v2.4 clients. This has not been tested with older clients but I would expect changing "comp-lzo" to "compress lzo" in the current server config and new client configs to be safe. The big issue "ns-cert-type" which will disappear in OpenVPN 2.5 (timing unknown). If used in 2.5, it will be remapped to "remote-cert-tls" when it will fail because of the sys-0-pem not containing the required extended key usage of "TLS Web Server Authentication". The solution in the short term is to regenerate the sys-0-pem with the additional EKU. Longer term, "ns-cert-type server" should also be changed to "remote-cert-tls server" in the client configs, but not until the certificate change is made. |
||
| Revision | 2018-09-07 03:49 by NickH | ||
| Description | From our configs there are two deprecated parameters, comp-lzo and "ns-cert-type server". See https://community.openvpn.net/openvpn/wiki/DeprecatedOptions. [^] It is not known when comp-lzo will be removed and it can directly be replaced with "compress lzo" in both the client and server configs, but better would be to change the server configs to: compress lz4 push "compress lz4" and the client config to: compress. This appears to be backwards compatible with existing Windows, linux and Android v2.4 clients. This has not been tested with older clients but I would expect changing "comp-lzo" to "compress lzo" in the current server config and new client configs to be safe. The big issue "ns-cert-type" which will disappear in OpenVPN 2.5 (timing unknown). If used in 2.5, it will be remapped to "remote-cert-tls" when it will fail because of the sys-0-pem not containing the required extended key usage of "TLS Web Server Authentication". The solution in the short term is to regenerate the sys-0-pem with the additional EKU. Longer term, "ns-cert-type server" should also be changed to "remote-cert-tls server" in the client configs, but not until the certificate change is made. In the client logs the error with "remote-cert-tls server" is: Fri Sep 07 10:22:51 2018 VERIFY OK: depth=1, C=GB, L=Petersfield, O=ClearOS, OU=14 Upper Heyshott, CN=ca.server.howitts.lan, emailAddress=security@server.howitts.lan, O=Howitt Family, ST=Hampshire Fri Sep 07 10:22:51 2018 VERIFY KU OK Fri Sep 07 10:22:51 2018 Certificate does not have extended key usage extension Fri Sep 07 10:22:51 2018 VERIFY EKU ERROR Fri Sep 07 10:22:51 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed Fri Sep 07 10:22:51 2018 TLS_ERROR: BIO read tls_read_plaintext error Fri Sep 07 10:22:51 2018 TLS Error: TLS object -> incoming plaintext read error Fri Sep 07 10:22:51 2018 TLS Error: TLS handshake failed Fri Sep 07 10:22:51 2018 Fatal TLS error (check_tls_errors_co), restarting |
||