Possible Bug in OVPN

Possible Bug in OVPN

[R. W. Rodolico]

[-- Attachment #1: Type: text/plain, Size: 1457 bytes --]

Problem exists in 103 (and I'm not sure how much further back), but I
just noticed it.

When creating the client package, the .ovpn file has the following line:
verify-x509-name my.server.name name
(my.server.name is actually the server's name). The error message is:

Options error: Unrecognized option or missing parameter(s) in
rodolico-TO-IPFire.ovpn:13: verify-x509-name (2.2.1)

This line is not recognized by OpenVPN v2.2.1, which is on my Debian
Wheezy workstation. It appears to also be a problem with tunnelblick
(see
https://groups.google.com/forum/#!topic/tunnelblick-discuss/R6gY0C-CgfY). This
command appeared in OpenVPN v2.3, so anyone using versions prior to that
will not be able to use the configuration file.

The syntax before used the deprecated tls-remote, ie

tls-remote my.server.name

Which works on Windows (OpenVPN GUI), Linux (OpenVPN) and OSX (tunnelblick).

Let me know if you want me to file a bug report. However, for release
104, I'd recommend either leaving the verify-x509-name out, or using the
old (deprecated) tls-remote (which still works under v2.3, from what
I've seen, though it is deprecated as per
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage)

However, if you just want it documented (it is a deprecated flag which
will be fully removed in 2.4), let me know and I'll put it in the wiki.

Rod

-- 
Rod Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170
http://www.dailydata.net

Re: Possible Bug in OVPN

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 3045 bytes --]

Hi Rod,
this directive has already been integrated with Core 100 --> http://forum.ipfire.org/viewtopic.php?f=50&t=11182 . We thought at this time that it is important to add this new directive better sooner than later since '--tls-remote' is a long time now deprecated an will be dropped by OpenVPN possibly with version 2.4.x (2.3.11 is out at this time), so even if both directives currently works it is possible that in a closer future  '--verify-x509-name name type'  works only and all other clients with old configuration files and '--tls-remote' in it, needs to be modified to work properly.

We´ve tested it for a couple of weeks and on different systems (different clients) and mostly clients have had no problems with the new directive except old client versions as you already mentioned it (tests can be found over the forum link above). Since OpenSSL have had also some serious bugs in the past and mostly clients have their own OpenSSL version integrated (possibly outdated in old OpenVPN clients) it might in that case also a good idea to update those clients.

I´ve added also an information box in the wiki --> http://wiki.ipfire.org/en/configuration/services/openvpn/config/glob_set (at the bottom), possibly to plain ?! May you have some other ideas it might be also great if you find a better way for a 'info' or 'warning' in the wiki.

Greetings,

Erik



Am 24.08.2016 um 07:23 schrieb R. W. Rodolico <rodo(a)dailydata.net>:

> Problem exists in 103 (and I'm not sure how much further back), but I
> just noticed it.
> 
> When creating the client package, the .ovpn file has the following line:
> verify-x509-name my.server.name name
> (my.server.name is actually the server's name). The error message is:
> 
> Options error: Unrecognized option or missing parameter(s) in
> rodolico-TO-IPFire.ovpn:13: verify-x509-name (2.2.1)
> 
> This line is not recognized by OpenVPN v2.2.1, which is on my Debian
> Wheezy workstation. It appears to also be a problem with tunnelblick
> (see
> https://groups.google.com/forum/#!topic/tunnelblick-discuss/R6gY0C-CgfY). This
> command appeared in OpenVPN v2.3, so anyone using versions prior to that
> will not be able to use the configuration file.
> 
> The syntax before used the deprecated tls-remote, ie
> 
> tls-remote my.server.name
> 
> Which works on Windows (OpenVPN GUI), Linux (OpenVPN) and OSX (tunnelblick).
> 
> Let me know if you want me to file a bug report. However, for release
> 104, I'd recommend either leaving the verify-x509-name out, or using the
> old (deprecated) tls-remote (which still works under v2.3, from what
> I've seen, though it is deprecated as per
> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage)
> 
> However, if you just want it documented (it is a deprecated flag which
> will be fully removed in 2.4), let me know and I'll put it in the wiki.
> 
> Rod
> 
> --
> Rod Rodolico
> Daily Data, Inc.
> POB 140465
> Dallas TX 75214-0465
> 214.827.2170
> http://www.dailydata.net


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 842 bytes --]