Hi Paul, an thanks for your feedback. Causing the OpenVPN messages:
Am Dienstag, den 28.08.2018, 18:11 +0100 schrieb Paul Titjen:
OpenVPN Initially had the two crypto warnings so deleted all the cert data and then generated new DH parameters with 3076 value. Then generated new certificate data using the 3076 value. This removed the DH size warning but still leaves the following:
Cryptographic warning Your host certificate is not RFC3280 compliant. Please update to the latest IPFire version and generate as soon as possible a new root and host certificate. All OpenVPN clients needs then to be renewed!
I looked for any settings that I could apply in web GUI to set extendkeyusage with TLS Web Server Authentication in the cert generation to make the warning go away but could not find a way to do this.
The needed changes are already shipped https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=b66b02ab73863bcb9130300d... . To get the needed changes to your certificates and configuration, you will need to renew the complete x509 which will also reset all existing clients. You can find in here https://forum.ipfire.org/viewtopic.php?t=18852#p108144 a more detailed discussion about this topic whereby OpenVPN provides some infos also in here https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--ns-cert-type .
It is time until OpenVPN version 2.5 but ns-cert-type will be dropped then.
# Warning if certificate is not compliant to RFC3280 TLSrules
if (-f "${General::swroot}/ovpn/certs/servercert.pem") {my $extendkeyusage = `/usr/bin/openssl x509 -noout-text -in ${General::swroot}/ovpn/certs/servercert.pem`;
if ($extendkeyusage !~ /TLS Web ServerAuthentication/) {
$cryptowarning = "$Lang::tr{'ovpn warningrfc3280'}";
goto CRYPTO_WARNING;}}CRYPTO_WARNING:Is OpenVPN going to require critical extends on the certs in the future?
Yes, see above.
Hope this somewhat limited testing information helps.
Great, and thanks.
Regards, Paul