| Anonymous | Login | 2024-12-22 00:17 MST |
| Main | My View | View Issues | Change Log | Roadmap | Repositories |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0021401 | ClearOS | app-openvpn - OpenVPN | public | 2018-09-07 03:48 | 2019-02-23 21:00 | ||||
| Reporter | NickH | ||||||||
| Assigned To | dloper | ||||||||
| Priority | normal | Severity | minor | Reproducibility | always | ||||
| Status | closed | Resolution | suspended | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 7.5.0 | ||||||||
| Target Version | 8.0.0 Beta 1 | Fixed in Version | |||||||
| Summary | 0021401: OpenVPN deprecated parameters | ||||||||
| Description | From our configs there are two deprecated parameters, comp-lzo and "ns-cert-type server". See https://community.openvpn.net/openvpn/wiki/DeprecatedOptions. [^] It is not known when comp-lzo will be removed and it can directly be replaced with "compress lzo" in both the client and server configs, but better would be to change the server configs to: compress lz4 push "compress lz4" and the client config to: compress. This appears to be backwards compatible with existing Windows, linux and Android v2.4 clients. This has not been tested with older clients but I would expect changing "comp-lzo" to "compress lzo" in the current server config and new client configs to be safe. The big issue "ns-cert-type" which will disappear in OpenVPN 2.5 (timing unknown). If used in 2.5, it will be remapped to "remote-cert-tls" when it will fail because of the sys-0-pem not containing the required extended key usage of "TLS Web Server Authentication". The solution in the short term is to regenerate the sys-0-pem with the additional EKU. Longer term, "ns-cert-type server" should also be changed to "remote-cert-tls server" in the client configs, but not until the certificate change is made. In the client logs the error with "remote-cert-tls server" is: Fri Sep 07 10:22:51 2018 VERIFY OK: depth=1, C=GB, L=Petersfield, O=ClearOS, OU=14 Upper Heyshott, CN=ca.server.howitts.lan, emailAddress=security@server.howitts.lan, O=Howitt Family, ST=Hampshire Fri Sep 07 10:22:51 2018 VERIFY KU OK Fri Sep 07 10:22:51 2018 Certificate does not have extended key usage extension Fri Sep 07 10:22:51 2018 VERIFY EKU ERROR Fri Sep 07 10:22:51 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed Fri Sep 07 10:22:51 2018 TLS_ERROR: BIO read tls_read_plaintext error Fri Sep 07 10:22:51 2018 TLS Error: TLS object -> incoming plaintext read error Fri Sep 07 10:22:51 2018 TLS Error: TLS handshake failed Fri Sep 07 10:22:51 2018 Fatal TLS error (check_tls_errors_co), restarting | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0007931) NickH (developer) 2018-09-07 11:53 |
Note that the certificate issue could be triggered by a client update which is out of our control. This is especially so with Apple iOS/MacOS and Android products where you cannot ask the user to downgrade so we, ideally, should be ahead of the game. |
|
(0007951) NickH (developer) 2018-09-08 03:05 |
As an aside, the EKU "TLS Web Server Authentication" is also required by the Radius Server cert for Win10 to authenticate. This change would then make the sys-0-cert directly usable in the Radius server. More info is in /etc/raddb/certs/README and the OIDs are in /etc/raddb/certs/xpextensions. |
|
(0008491) user2 2018-11-05 20:18 |
It looks like lz4 is not compatible with OpenVPN 2.3 (used in ClearOS 6). Would we break ClearOS 6-to-7 OpenVPN connections with these changes? |
|
(0008501) user2 2018-11-05 20:22 |
ns-cert-type removed: https://gitlab.com/clearos/clearfoundation/app-openvpn/commit/6a54a2a69d3710e0202549d085e6281f7e8a1036 [^] |
|
(0010241) dloper (administrator) 2019-02-23 21:00 |
Migrated to: https://gitlab.com/clearos/feature-requests/issues/42 [^] |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2018-09-07 03:48 | NickH | New Issue | |
| 2018-09-07 03:49 | NickH | Description Updated | View Revisions |
| 2018-09-07 11:53 | NickH | Note Added: 0007931 | |
| 2018-09-07 18:04 | user2 | Status | new => confirmed |
| 2018-09-07 18:05 | user2 | Product Version | 7.6.0 => 7.5.0 |
| 2018-09-07 18:05 | user2 | Target Version | => 7.5.0 Updates |
| 2018-09-08 03:05 | NickH | Note Added: 0007951 | |
| 2018-10-30 14:27 | user2 | Target Version | 7.5.0 Updates => 7.6.0 |
| 2018-11-05 19:48 | user2 | Summary | OpenVPN Deprecated Parameters => OpenVPN deprecated parameters |
| 2018-11-05 20:18 | user2 | Note Added: 0008491 | |
| 2018-11-05 20:22 | user2 | Note Added: 0008501 | |
| 2018-11-16 07:12 | user2 | Target Version | 7.6.0 => 8.0.0 Beta 1 |
| 2019-02-23 21:00 | dloper | Note Added: 0010241 | |
| 2019-02-23 21:00 | dloper | Status | confirmed => closed |
| 2019-02-23 21:00 | dloper | Assigned To | => dloper |
| 2019-02-23 21:00 | dloper | Resolution | open => suspended |
|
Issue History |