Hi Michael,
Am 11.08.2014 um 11:36 schrieb Michael Tremer:
Hi Erik,
On Tue, 2014-07-29 at 20:05 +0200, ummeegge wrote:
Hi all, since the update to OpenVPN version 2.3 on IPFire the client log message "DEPRECATED OPTION: --tls-remote, please update your configuration" appears. so the clientside directive "--tls-remote" will be removed from OpenVPN in one of the comming versions --> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage . For future updates of OpenVPN on IPFire (2.4+) it will be important to modify existing client.ovpn´s and replace the "--tls-remote name" with the new "--verify-x509-name name type" directive.
Yes, we should do this at some point. The question that is currently on my mind is if that is completely backwards-compatible with all installations that we do have out there.
Have tested the "--verify-x509-name" directive positive only with 2.3.2 and above. =< 2.3.1 have had problems with this. Causing the heartbleed bug it might be probably a good time and chance for may ~ 90% of the clients out there which have no problems with this. But you are right there are a couple of other clients which are using nevertheless older (may patched) versions. Have seen this e.g. in the Snom forum that they have problems with this directive.
Since OpenVPN client/server version 2.3.2 the new verify option can be used in client configs whereby "type" includes the possibilty of 3 different kinds of verification --> "subject", "name" and "name-prefix" . This leads to a question which one of the "types" should be used for future versions on IPFire. At this time IPFire handles "--tls-remote" automatically and it can´t be configured over the WUI, this is handy cause the user doesn´t need to bother around with all that kind of settings, but should this remain in that way also for the new verification method ?
This should not be configurable for the user, because I cannot see the point right now. It should stay compatible to what we are doing at the moment.
I think so. There is also some time left until OpenVPN throws this directive away. An exact time aren´t known at this time.
Also, to use "--verify-x509-name" the clients needs to have a version
= 2.3.2 otherwise the connection won´t come up so there is no
backwards compatibility with the new directive and version =< 2.3.1 .
This is my biggest concern as there might be many systems that run old versions.
May some people out there have some ideas, informations, ...., for this topic ?
Not really as far as we can see. Would you please update the code for this and send patches when you have the time for it?
We could possibly do it in that way: We leave "--tls-remote" in the client.ovpn configuration file but add also the "--verify-x509-name" directive out commented with a little hint when it could be used, like it is done now for the usage of different interfaces --> "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface" <-- or someting like that...
Anyway a discussion about that might be interesting.
-Michael
As a first idea.
Greetings,
Erik