Bug 487124 - No server certificate verification method has been enabled
No server certificate verification method has been enabled
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: NetworkManager-openvpn (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Huzaifa S. Sidhpurwala
Fedora Extras Quality Assurance
http://openvpn.net/howto.html#mitm
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-24 06:43 EST by Jens Liebchen
Modified: 2010-03-19 03:28 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-19 03:28:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jens Liebchen 2009-02-24 06:43:53 EST
NetworkManager-openvpn does not check the server certificate. It is not possible to configure NetworkManager-openvpn to do so.

NetworkManager-0.7.0-1.git20090102.fc10.x86_64

To reproduce, you have to connect via NetworkManager-openvpn to a VPN with certificates authorization. You will find the following information in /var/log/messages:

nm-openvpn[3916]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.


Easiest fix should be using the option "remote-cert-tls server" when starting openvpn. See the link above above for more info.


The risk of this issue is, that a compromised client with a CA-signed certificate can fake being the server and do a MITM attack against other clients.
Comment 1 Bug Zapper 2009-06-09 07:36:42 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Huzaifa S. Sidhpurwala 2010-03-19 03:28:01 EDT
Hi Jens,
The latest version of NetworkManager-openvpn has support for tls-remote.

Note You need to log in before you can comment on or make changes to this bug.