Description of problem: I have changed the config for my openvpn connections from tls-remote=$SERVER to verify-x509-name=$SERVER, but now I get the following error message in journalctl: Apr 11 18:30:59 ohaessle.muc.csb nm-openvpn[10573]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Apr 11 18:30:59 ohaessle.muc.csb nm-openvpn[10573]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1360) Apr 11 18:30:59 ohaessle.muc.csb nm-openvpn[10573]: UDPv4 link local: [undef] Apr 11 18:30:59 ohaessle.muc.csb nm-openvpn[10573]: UDPv4 link remote: [AF_INET]209.132.186.220:443 Apr 11 18:30:59 ohaessle.muc.csb nm-openvpn[10573]: OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Apr 11 18:30:59 ohaessle.muc.csb nm-openvpn[10573]: TLS_ERROR: BIO read tls_read_plaintext error Apr 11 18:30:59 ohaessle.muc.csb nm-openvpn[10573]: TLS Error: TLS object -> incoming plaintext read error Apr 11 18:30:59 ohaessle.muc.csb nm-openvpn[10573]: TLS Error: TLS handshake failed Apr 11 18:30:59 ohaessle.muc.csb nm-openvpn[10573]: SIGUSR1[soft,tls-error] received, process restarting Version-Release number of selected component (if applicable): openvpn-2.4.1-2.el7.x86_64 NetworkManager-openvpn-1.2.6-1.el7.x86_64 How reproducible: use a NM config that has a line tls-remote=$SERVER and connects fine. Change the option to verify-x509-name=$SERVER. Connection do no longer work. Actual results: connection is not established with error message in log file Expected results: connections works Additional info: If I use a config file with openvpn on CLI , containing the line: verify-x509-name $SERVER The connection works without issues
Hi, is there any progress on this issue? OpenVPN will be updated to 2.4 very soon, which deprecates the tls-remote.
epel7 currently has package 1.2.6-1, which is already 6 months old. This nm-openvpn version (supposedly) supports verify-x509-name and tls-remote just fine. The configurations are probably safe to use verify-x509-name from now on, and no longer use tls-remote. Note that openvpn is the one that rejects tls-remote option in 2.4. nm-openvpn-1.2.6-1 is fine with either, but if the NM connection uses tls-remote against openvpn 2.4, it won't work. Newer upstream version of nm-openvpn tries to work around the issue of openvpn upgrade breaking connection. You would need commit[1] for that. But note, that this is only a hack, because tls-remote is not identical to using the verify-x509-name option, it is only *close enough*. Anyway, you say > tls-remote=$SERVER to verify-x509-name=$SERVER" this is not how it works. If you use nm-connection-editor, you will see that in NetworkManager's connection, the option must be specified like: verify-x509-name=name:$SERVER See also [2] how the option is interpreted by the plugin. Summary: (1) it seems this bug is a configuration error (verify-x509-name=$SERVER) (2) openvpn 2.4 purposefully rejects tls-remote. Configurations should be updated to use verify-x509-name. (3) upstream patch [1] would workaround issue (2). It's probably a very good idea to update epel7 package to latest upstream version. [1] https://git.gnome.org/browse/network-manager-openvpn/commit/?id=f7421ef277222bd640c432afefc21ef5a98477bc [2] https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=404e9c4b677b224597fc95f811e6b8729a314354#n1629
Awesome.. sorry.. i somehow missed the correct syntax for the x509 line. With your example it works now. I will update the the configs now accordingly to use x509