Bug 459475

Summary: NetworkManager OpenVPN "certificate verify failed"
Product: [Fedora] Fedora Reporter: barry gould <bozo>
Component: NetworkManager-openvpnAssignee: Dan Williams <dcbw>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: choeger, steve, tim
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-19 13:31:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description barry gould 2008-08-19 08:33:29 UTC 
Description of problem:
When trying to connect to an OpenVPN connection from NetworkManager, /var/log/messasges says:
nm-openvpn TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Note that I can connect with the command-line version of openvpn just fine.

Some searching on google reveals that NM adds
> g_ptr_array_add (openvpn_argv, (gpointer) "--ns-cert-type");
> g_ptr_array_add (openvpn_argv, (gpointer) "server");  

When calling OpenVPN, which causes it to fail (many) certificates.
The server I'm connecting to is an appliance, so it is unlikely that I'll be able to change the certs to get around this issue.

Note that Ubuntu considered this to be a bug, and fixed it last year by adding a user-configurable option:
https://bugs.launchpad.net/network-manager-openvpn/+bug/94788
"Introduced a new configuration option enabling users to turn off the check for a proper `nsCertType=server' extension bit set in the server's certificate. (LP: #94788)"


Version-Release number of selected component (if applicable):
NetworkManager-0.7.0-0.9.4.svn3675.fc9.i386
NetworkManager-openvpn-0.7.0-14.svn3632.fc9.i386
openvpn-2.1-0.26.rc8.fc9.i386

NetworkManager-vpnc-0.7.0-0.7.7.svn3627.fc9.i386
NetworkManager-glib-0.7.0-0.9.4.svn3675.fc9.i386
NetworkManager-gnome-0.7.0-0.9.4.svn3675.fc9.i386


How reproducible:
always

Steps to Reproduce:
1. setup connection with X509 certs + password
2. try to connect
3.
  
Actual results:
error above

Expected results:
connect

Additional info:
I agree with the Ubuntu folks that this should be a user-configurable option. Too bad their patch didn't get into upstream for NM.
IIRC NM is developed by RH, so I'm hoping someone here could push it up.

Thanks!
Comment 1 Dan Williams 2008-08-19 13:31:07 UTC 
That bit of code has already been removed upstream in SVN for both stable and development branches actually :)
Comment 2 barry gould 2008-08-20 07:33:33 UTC 
Sorry, does that (stable) mean that it's already in Fedora 9, or only in rawhide?
If not in 9, will there be an update soon?

If it is already in 9, than am I experiencing a different problem?

Thanks!
Comment 3 Dan Williams 2008-08-20 12:37:26 UTC 
There's test builds in Koji, but they haven't been pushed to testing yet because Warren really, really wants VPN passwords converted.