Bug 487124

Summary: No server certificate verification method has been enabled
Product: [Fedora] Fedora Reporter: Jens Liebchen <bugzilla>
Component: NetworkManager-openvpnAssignee: Huzaifa S. Sidhpurwala <huzaifas>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: choeger, dcbw, steve, tim
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://openvpn.net/howto.html#mitm
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-19 07:28:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jens Liebchen 2009-02-24 11:43:53 UTC
NetworkManager-openvpn does not check the server certificate. It is not possible to configure NetworkManager-openvpn to do so.

NetworkManager-0.7.0-1.git20090102.fc10.x86_64

To reproduce, you have to connect via NetworkManager-openvpn to a VPN with certificates authorization. You will find the following information in /var/log/messages:

nm-openvpn[3916]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.


Easiest fix should be using the option "remote-cert-tls server" when starting openvpn. See the link above above for more info.


The risk of this issue is, that a compromised client with a CA-signed certificate can fake being the server and do a MITM attack against other clients.

Comment 1 Bug Zapper 2009-06-09 11:36:42 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 2 Huzaifa S. Sidhpurwala 2010-03-19 07:28:01 UTC
Hi Jens,
The latest version of NetworkManager-openvpn has support for tls-remote.