Bug 1441678
Summary: | Openvpn is not working when using verify-x509-name | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Oliver Ilian <oliver> |
Component: | NetworkManager-openvpn | Assignee: | Gwyn Ciesla <gwync> |
Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | epel7 | CC: | gwync, mteixeira, thaller |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Oliver Ilian
2017-04-12 12:47:04 UTC
Hi, is there any progress on this issue? OpenVPN will be updated to 2.4 very soon, which deprecates the tls-remote. epel7 currently has package 1.2.6-1, which is already 6 months old. This nm-openvpn version (supposedly) supports verify-x509-name and tls-remote just fine. The configurations are probably safe to use verify-x509-name from now on, and no longer use tls-remote. Note that openvpn is the one that rejects tls-remote option in 2.4. nm-openvpn-1.2.6-1 is fine with either, but if the NM connection uses tls-remote against openvpn 2.4, it won't work. Newer upstream version of nm-openvpn tries to work around the issue of openvpn upgrade breaking connection. You would need commit[1] for that. But note, that this is only a hack, because tls-remote is not identical to using the verify-x509-name option, it is only *close enough*. Anyway, you say > tls-remote=$SERVER to verify-x509-name=$SERVER" this is not how it works. If you use nm-connection-editor, you will see that in NetworkManager's connection, the option must be specified like: verify-x509-name=name:$SERVER See also [2] how the option is interpreted by the plugin. Summary: (1) it seems this bug is a configuration error (verify-x509-name=$SERVER) (2) openvpn 2.4 purposefully rejects tls-remote. Configurations should be updated to use verify-x509-name. (3) upstream patch [1] would workaround issue (2). It's probably a very good idea to update epel7 package to latest upstream version. [1] https://git.gnome.org/browse/network-manager-openvpn/commit/?id=f7421ef277222bd640c432afefc21ef5a98477bc [2] https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=404e9c4b677b224597fc95f811e6b8729a314354#n1629 Awesome.. sorry.. i somehow missed the correct syntax for the x509 line. With your example it works now. I will update the the configs now accordingly to use x509 |