GNOME Bugzilla – Bug 685790
NM-OpenVPN - WARNING: No server certificate verification method has been enabled
Last modified: 2012-11-07 22:01:32 UTC
Hi Guys, I'm running Slackware 14.0 x86 with Xfce 4.10 & OpenBox and these versions for NetworkManager; NetworkManager-0.9.6.0 NetworkManager-openvpn-0.9.4.0 I noticed when looking through the logs for the NetworkManager when I'm running openvpn this message; WARNING: No server certificate verification method has been enabled. From what I can tell there is no way in which the config option; ns-cert-type server Can be used in NetworkManager, there appears to be no options to place this in to be used... If I run openvpn from the command line I do not have this problem, here's output from the terminal; Mon Oct 8 22:24:20 2012 OpenVPN 2.2.2 i486-slackware-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Jul 4 2012 Mon Oct 8 22:24:20 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mon Oct 8 22:24:20 2012 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file Mon Oct 8 22:24:20 2012 LZO compression initialized Mon Oct 8 22:24:22 2012 UDPv4 link local: [undef] Mon Oct 8 22:24:22 2012 UDPv4 link remote: 83.170.109.13:443 Mon Oct 8 22:24:39 2012 [server] Peer Connection Initiated with 83.170.109.13:443 Mon Oct 8 22:24:43 2012 TUN/TAP device tun1 opened Mon Oct 8 22:24:43 2012 /usr/sbin/ip link set dev tun1 up mtu 1500 Mon Oct 8 22:24:43 2012 /usr/sbin/ip addr add dev tun1 local 172.16.1.18 peer 172.16.1.17 Mon Oct 8 22:24:46 2012 Initialization Sequence Completed So how do we add in or use the ns-cert-type server option in the NetworkManager? If there is no method at the moment this is really critical, as this can be a security issue with MITM attacks. I hope I'll please get a reply back soon on this, this is a very critical security matter that needs resolving as soon as possible... I'm attaching the Network Manager log... THANKS
Created attachment 226105 [details] NetworkManager Log
*** Bug 685789 has been marked as a duplicate of this bug. ***
*** Bug 685788 has been marked as a duplicate of this bug. ***
I hit the submit button two other times but it never went through, the site just sat trying to load so I didn't think it submitted, so I did it over. Didn't want anyone to think I submitted 3 reports like this on purpose... THANKS
There are several ways to verify server certificates as a means to prevent against MITM attacks. OpenVPN lists 5 of them here: http://openvpn.net/index.php/open-source/documentation/howto.html#mitm NetworkManager-openvpn plugin supports 'tls-remote', ie. verifying server's X509 name or common name. So, there is a way for verifying certificates. ns-cert-type uses deprecated nsCertType extension and is not the way to go. http://old.nabble.com/nsCertType-to32717938.html#a32718014 http://jira.opensciencegrid.org/browse/OSGPKI-2 We should rather think of introducing support for 'remote-cert-tls', which is a method standardized in RFC3280.
'tls-remote' option can be specified in connection editor: 1. open your VPN connection 2. select VPN tab 3. click 'Advanced...' button 4. input server name to match in 'Subject Match' field on 'TLS Authentication' tab
Created attachment 227890 [details] [review] [PATCH] adding support for 'remote-cert-tls' option The patch adds possibility to check server usage certificate signature via '--remote-cert-tls' option. The UI is in Advanced dialog on 'TLS Authentication' page.
Please review. You can see the same patch here http://git.gnome.org/browse/network-manager-openvpn/log/?h=bgo685790
Just merged it instead of sending email to you saying to merge it, hope that's OK.