Bug 719430 – importing from .ovpn file: "ns-cert-type server" not parsed

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 719430 - importing from .ovpn file: "ns-cert-type server" not parsed


Summary:	importing from .ovpn file: "ns-cert-type server" not parsed


Status:	RESOLVED FIXED

Product:	NetworkManager
Classification:	Platform
Component:	VPN: openvpn
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	NetworkManager maintainer(s)
QA Contact:	NetworkManager maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:	nm-openvpn-options

Reported:	2013-11-27 15:34 UTC by Colin Macdonald
Modified:	2016-04-01 12:37 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Colin Macdonald 2013-11-27 15:34:11 UTC

When I connect my VPN, I get the following MITM warning:

Nov 27 15:31:22 aconite nm-openvpn[18281]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

My sysadmin says:

>>> provided your client supports the
>>>
>>> ns-cert-type server
>>>
>>> OpenVPN configuration option, this warning should disappear.

But that does not seem to be the case.  This should be [unconfirmed] until someone who knows this stuff more than me can confirm!

Example .ovpn file posted in bug #719429 which includes this option.

Comment 1 Colin Macdonald 2013-11-27 15:37:14 UTC

Sorry, relevant versions are:

NetworkManager.x86_64  1:0.9.9.0-19.git20131003.fc20
openvpn.x86_64         2.3.2-4.fc20

Comment 2 Colin Macdonald 2013-11-27 15:38:31 UTC

NetworkManager-openvpn.x86_64         1:0.9.8.2-3.fc20
NetworkManager-openvpn-gnome.x86_64   1:0.9.8.2-3.fc20

Comment 3 Forest 2016-03-11 00:27:09 UTC

I noticed this today as well.  NetworkManager's OpenVPN file importer strips away the "ns-cert-type server" option without even bothering to warn the user, tricking him into thinking his VPN is working while secretly leaving him vulnerable to MITM attacks.  This is dangerous.

Comment 4 Beniamino Galvani 2016-03-23 10:47:24 UTC

Support for ns-cert-type added in branch bg/ns-cert-type-bgo719430, please review.

Comment 5 Thomas Haller 2016-03-23 11:01:11 UTC

(In reply to Beniamino Galvani from comment #4)
> Support for ns-cert-type added in branch bg/ns-cert-type-bgo719430, please
> review.

lgtm!

Comment 6 Beniamino Galvani 2016-04-01 12:37:14 UTC

Rebased to master and merged: 644e55ed404edbc953e323d13c57297b53cc0f8b