Bug 455142 – [enh] support for --tls-remote

Bug 455142 - [enh] support for --tls-remote


Summary:	[enh] support for --tls-remote

Status:	RESOLVED FIXED

Product:	NetworkManager
Classification:	Platform
Component:	VPN: openvpn
Version:	git master
Hardware:	Other All

Importance:	Normal enhancement
Target Milestone:	---
Assigned To:	Dan Williams
QA Contact:	Dan Williams

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree

Reported:	2007-07-09 12:37 UTC by Luca Falavigna
Modified:	2010-01-18 08:15 UTC (History)
CC List:	2 users (show)

See Also:
GNOME target:	---
GNOME version:	---

Attachments
nm-openvpn-tls-remote-patch (172.59 KB, patch) 2010-01-14 10:51 UTC, Huzaifa Sidhpurwala (Red Hat Security Response)	none	Details \| Diff \| Review
View All Add an attachment (proposed patch, testcase, etc.)

Description Luca Falavigna 2007-07-09 12:37:49 UTC

The network-manager-openvpn plugin doesn't support the tls-remote option in OpenVPN as a form of server certificate verification. For VPNs that rely on tls-remote for verification of certificates NetworkManager will refuse to connect.

A patch has been provided here: https://launchpad.net/bugs/116256

Comment 1 Dan Williams 2008-08-08 12:50:07 UTC

Doesn't missing tls-remote verification just pass the certificate if you don't specify tls remote?  i.e. openvpn will allow connections unless you make verification more restrictive through some combination of --tls-remote, --ns-cert-type, etc?  In any case, this is a good thing to have.

Comment 2 Dan Williams 2008-08-08 14:14:57 UTC

So for 0.7 the openvpn plugin got substantially rewritten.  An updated patch would be quite appreciated!

- A text entry field named "Required Gateway Name" (or something like that) should be added to nm-openvpn-dialog.glade in the table1, table4, and table5 items
- A new key created in src/nm-openvpn-service.h called NM_OPENVPN_KEY_TLS_REMOTE
- Have properties/auth-helpers.c handle the key <-> entry stuff for each of the 3 auth methods in which certificates are used
- Have properties/import-export.c handle that value correctly when importing and exporting

Comment 3 Dan Williams 2008-08-27 18:38:39 UTC

If you don't want to or can't provide an updated patch against current SVN, flip the bug back to NEW and we'll get around to it eventually.

Comment 4 Tobias Mueller 2009-02-23 14:43:30 UTC

Flipping back to new as per comment #3. Luca, feel free to provide a new patch!

Comment 5 Huzaifa Sidhpurwala (Red Hat Security Response) 2010-01-08 06:25:23 UTC

I am going to port this patch to the latest 0.7.997 in some time.

Comment 6 Huzaifa Sidhpurwala (Red Hat Security Response) 2010-01-14 10:51:53 UTC

Created attachment 151386 [details] [review]
nm-openvpn-tls-remote-patch

Comment 7 Huzaifa Sidhpurwala (Red Hat Security Response) 2010-01-14 10:52:40 UTC

attached patch, adds the tls-remote functionality

Comment 8 Dan Williams 2010-01-18 08:15:46 UTC

751fcfb0c1165c52d84ce42409e293984a09d35d (master)
0a637c81da508c75811314a46b07df2527302077 (0.7.x)

thanks!

Note You need to log in before you can comment on or make changes to this bug.