ClearFoundation Tracker - ClearOS
View Issue Details
0021401ClearOSapp-openvpn - OpenVPNpublic2018-09-07 03:482019-02-23 21:00
8.0.0 Beta 1 
0021401: OpenVPN deprecated parameters
From our configs there are two deprecated parameters, comp-lzo and "ns-cert-type server". See [^]

It is not known when comp-lzo will be removed and it can directly be replaced with "compress lzo" in both the client and server configs, but better would be to change the server configs to:
    compress lz4
    push "compress lz4"

and the client config to:

This appears to be backwards compatible with existing Windows, linux and Android v2.4 clients.

This has not been tested with older clients but I would expect changing "comp-lzo" to "compress lzo" in the current server config and new client configs to be safe.

The big issue "ns-cert-type" which will disappear in OpenVPN 2.5 (timing unknown). If used in 2.5, it will be remapped to "remote-cert-tls" when it will fail because of the sys-0-pem not containing the required extended key usage of "TLS Web Server Authentication". The solution in the short term is to regenerate the sys-0-pem with the additional EKU. Longer term, "ns-cert-type server" should also be changed to "remote-cert-tls server" in the client configs, but not until the certificate change is made.

In the client logs the error with "remote-cert-tls server" is:
Fri Sep 07 10:22:51 2018 VERIFY OK: depth=1, C=GB, L=Petersfield, O=ClearOS, OU=14 Upper Heyshott, CN=ca.server.howitts.lan, emailAddress=security@server.howitts.lan, O=Howitt Family, ST=Hampshire
Fri Sep 07 10:22:51 2018 VERIFY KU OK
Fri Sep 07 10:22:51 2018 Certificate does not have extended key usage extension
Fri Sep 07 10:22:51 2018 VERIFY EKU ERROR
Fri Sep 07 10:22:51 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Sep 07 10:22:51 2018 TLS_ERROR: BIO read tls_read_plaintext error
Fri Sep 07 10:22:51 2018 TLS Error: TLS object -> incoming plaintext read error
Fri Sep 07 10:22:51 2018 TLS Error: TLS handshake failed
Fri Sep 07 10:22:51 2018 Fatal TLS error (check_tls_errors_co), restarting
No tags attached.
Issue History
2018-09-07 03:48NickHNew Issue
2018-09-07 03:49NickHDescription Updatedbug_revision_view_page.php?rev_id=2251#r2251
2018-09-07 11:53NickHNote Added: 0007931
2018-09-07 18:04user2Statusnew => confirmed
2018-09-07 18:05user2Product Version7.6.0 => 7.5.0
2018-09-07 18:05user2Target Version => 7.5.0 Updates
2018-09-08 03:05NickHNote Added: 0007951
2018-10-30 14:27user2Target Version7.5.0 Updates => 7.6.0
2018-11-05 19:48user2SummaryOpenVPN Deprecated Parameters => OpenVPN deprecated parameters
2018-11-05 20:18user2Note Added: 0008491
2018-11-05 20:22user2Note Added: 0008501
2018-11-16 07:12user2Target Version7.6.0 => 8.0.0 Beta 1
2019-02-23 21:00dloperNote Added: 0010241
2019-02-23 21:00dloperStatusconfirmed => closed
2019-02-23 21:00dloperAssigned To => dloper
2019-02-23 21:00dloperResolutionopen => suspended

2018-09-07 11:53   
Note that the certificate issue could be triggered by a client update which is out of our control. This is especially so with Apple iOS/MacOS and Android products where you cannot ask the user to downgrade so we, ideally, should be ahead of the game.
2018-09-08 03:05   
As an aside, the EKU "TLS Web Server Authentication" is also required by the Radius Server cert for Win10 to authenticate. This change would then make the sys-0-cert directly usable in the Radius server. More info is in /etc/raddb/certs/README and the OIDs are in /etc/raddb/certs/xpextensions.
2018-11-05 20:18   
It looks like lz4 is not compatible with OpenVPN 2.3 (used in ClearOS 6). Would we break ClearOS 6-to-7 OpenVPN connections with these changes?
2018-11-05 20:22   
ns-cert-type removed: [^]
2019-02-23 21:00   
Migrated to: [^]