From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: Possible Bug in OVPN Date: Thu, 25 Aug 2016 18:20:10 +0200 Message-ID: <9659086A-F4FF-481D-9F2D-7CDE107131D5@ipfire.org> In-Reply-To: <57BD2F56.4010108@dailydata.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1238923542601249280==" List-Id: --===============1238923542601249280== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Rod, this directive has already been integrated with Core 100 --> http://forum.ipf= ire.org/viewtopic.php?f=3D50&t=3D11182 . We thought at this time that it is i= mportant to add this new directive better sooner than later since '--tls-remo= te' is a long time now deprecated an will be dropped by OpenVPN possibly with= version 2.4.x (2.3.11 is out at this time), so even if both directives curre= ntly works it is possible that in a closer future '--verify-x509-name name t= ype' works only and all other clients with old configuration files and '--tl= s-remote' in it, needs to be modified to work properly. We=C2=B4ve tested it for a couple of weeks and on different systems (differen= t clients) and mostly clients have had no problems with the new directive exc= ept old client versions as you already mentioned it (tests can be found over = the forum link above). Since OpenSSL have had also some serious bugs in the p= ast and mostly clients have their own OpenSSL version integrated (possibly ou= tdated in old OpenVPN clients) it might in that case also a good idea to upda= te those clients. I=C2=B4ve added also an information box in the wiki --> http://wiki.ipfire.or= g/en/configuration/services/openvpn/config/glob_set (at the bottom), possibly= to plain ?! May you have some other ideas it might be also great if you find= a better way for a 'info' or 'warning' in the wiki. Greetings, Erik Am 24.08.2016 um 07:23 schrieb R. W. Rodolico : > Problem exists in 103 (and I'm not sure how much further back), but I > just noticed it. >=20 > When creating the client package, the .ovpn file has the following line: > verify-x509-name my.server.name name > (my.server.name is actually the server's name). The error message is: >=20 > Options error: Unrecognized option or missing parameter(s) in > rodolico-TO-IPFire.ovpn:13: verify-x509-name (2.2.1) >=20 > This line is not recognized by OpenVPN v2.2.1, which is on my Debian > Wheezy workstation. It appears to also be a problem with tunnelblick > (see > https://groups.google.com/forum/#!topic/tunnelblick-discuss/R6gY0C-CgfY). T= his > command appeared in OpenVPN v2.3, so anyone using versions prior to that > will not be able to use the configuration file. >=20 > The syntax before used the deprecated tls-remote, ie >=20 > tls-remote my.server.name >=20 > Which works on Windows (OpenVPN GUI), Linux (OpenVPN) and OSX (tunnelblick). >=20 > Let me know if you want me to file a bug report. However, for release > 104, I'd recommend either leaving the verify-x509-name out, or using the > old (deprecated) tls-remote (which still works under v2.3, from what > I've seen, though it is deprecated as per > https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage) >=20 > However, if you just want it documented (it is a deprecated flag which > will be fully removed in 2.4), let me know and I'll put it in the wiki. >=20 > Rod >=20 > -- > Rod Rodolico > Daily Data, Inc. > POB 140465 > Dallas TX 75214-0465 > 214.827.2170 > http://www.dailydata.net --===============1238923542601249280== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KQ29tbWVudDogR1BHVG9vbHMgLSBodHRwczov L2dwZ3Rvb2xzLm9yZwoKaVFJY0JBRUJDZ0FHQlFKWHZ4ckFBQW9KRUlQaWh4WDVKOGpuaCtrUC8y aGJMQ1ZIaE9aL1VRa0pWT0FWUGtxdgpsWHRHZks1Vk1iYmhyMzdsd2dzUG9ZcW5NUzdsU2RZcHVO OE84QnBCOFlkSGpURklPdW5JSVN2dTVBZ0JpZFFsCjU2by80UC9ML3Bxd3lrM1hCWDNXN1ZiTGls Y3pyaUJNTkNlOEVreG14dmNhcUhQUjlxS21uYnE3N3IrMVVQYjgKdktaTW1WcERHVDhraDVzZCty ZUM2WENlRzY2cWJ6NC9mY3RRWURvL1JpZVB1MFl4Tlp3cjZWMEM5ODkrRERLYQp4M3hIcElYQk1U NFliYW80WjVxL3cvK3I5VFVmTXQvN2FiQ2c2UDN3YzVqeTk4TEMvbXdDRVdzMzVTS3czazJ5CkxX UW9ZR3kxVWg2b2dUMGEzc2NiM081U0M1TlcrN25uK0JxcUkyNTJtNlMwOVIwLzBQdXlCSVVCK0tD Z0xaMjEKTXNwUXp5c21ocHpaN0pka3hSWnFSdVgyODhobGp0VUJIb3F0TXZBcVEzUnZIZVk0WHdE SUFWTFZGT2pMUTViZQp0WkNReFBEWlRWOU9pVzBiaGp1ZkZ2NGNLc2V4MkQ2VEVQbCtUUnlCUkZR N2RwUnpvRGZ2SjU4a21nSjFYRjh2CmRmeEcrUjVhbTBxellUUVpZWDZ4UkxVcE5HTUdnOU9MYW1K eHl3cktiK01WRFRLN1VXeFBESjdibWJOVVZyWncKZ09oZkN5ejQweXVydXNlYkVUZnBDdFhFWk9l OFM4a3JyK0M3dnl1THlhY1JjWFM0OUlqS210NnpYUTZMbmIrMgorcE1oa3E2UTl3WWZxN2JVWnhk VzU0SzFpNHVWcmtOTVVlaURHeUswcmFrbVhtcmZQb3BMcy9wbkpDUWpoZEFDClN5eG1MdXhFSE1V c2tjWVdLRCtsCj1KTm5XCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============1238923542601249280==--