Bug 776045 – Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1)

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 776045 - Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1)


Summary:	Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-rem...


Status:	RESOLVED FIXED

Product:	NetworkManager
Classification:	Platform
Component:	VPN: openvpn
Version:	1.2.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	NetworkManager maintainer(s)
QA Contact:	NetworkManager maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-12-13 17:20 UTC by Michael Biebl
Modified:	2017-02-15 13:09 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Michael Biebl 2016-12-13 17:20:48 UTC

Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848024

With openvpn 2.4 rc1, NetworkManager-openvpn fails with the following error message

Dec 13 09:49:37 xps13 NetworkManager[738]: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1)
(Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1)

According to the Debian openvpn maintainer, this is due to:

"
The --tls-remote was removed in OpenVPN 2.4, and was already marked as
DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage:

Please  also note: This option is now deprecated.  It will be removed
either in OpenVPN v2.4 or v2.5.  So please make sure you support the new
X.509  name formatting  described  with  the  --compat-names option as
soon as possible by updating your configurations to use
--verify-x509-name instead.
"

Comment 1 Thomas Haller 2016-12-13 18:45:04 UTC

I don't think there is anything to do.

nm-openvpn already supports the verify-x509-name option, which should be used.


The problem is for users who have existing connections with tls-remote setting.

For example, when you look at your NetworkManager ovpn connection (for example, named "MyOVPN"):
 
  $ nmcli connection show "MyVPN" | grep tls-remote


openvpn 2.4 breaks backward compatibility by removing the option. There is nothing that nm-openvpn can do about it except requiring users to fix their configuration.

E.g. the Gnome plugin of nm-openvpn for nm-connection-editor has a "Server Certificate Check" combobox. Affected users have to move away from the "Verify subject partially (legacy mode)" setting.




Ok, maybe the GUI should be improved to make it more clear that the option is now really non-working against 2.4. And one day, maybe the option should be removed entirely. I leave the bug open for that, but it's merely cosmetic.

Comment 2 Thomas Haller 2017-01-18 14:42:59 UTC

removal of option upstream:

https://github.com/OpenVPN/openvpn/commit/10ce637066f44e8ad9f4af000b8d0c2a4012236d

Comment 3 Thomas Haller 2017-02-13 13:32:30 UTC

as suggested, let's have the plugin instead use verify-x509-name.

The options are not equivalent, but should work equally well in most cases.

Please review

https://git.gnome.org/browse/network-manager-openvpn/log/?h=th/tls-remote-workaround-bgo776045

Comment 4 Thomas Haller 2017-02-15 13:09:58 UTC

merged: https://git.gnome.org/browse/network-manager-openvpn/commit/?id=37d6dc4c521ebce71313e9ea757f90cd7eefc7d2