Bug 763487 – OpenVPN with Password authentication does not enable "Add" button

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 763487 - OpenVPN with Password authentication does not enable "Add" button


Summary:	OpenVPN with Password authentication does not enable "Add" button


Status:	RESOLVED INVALID

Product:	NetworkManager
Classification:	Platform
Component:	VPN: openvpn
Version:	1.0.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	NetworkManager maintainer(s)
QA Contact:	NetworkManager maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:	nm-openvpn-options

Reported:	2016-03-11 01:56 UTC by Daniel
Modified:	2017-06-03 14:01 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Screenshot of VPN setup screen (40.03 KB, image/png) 2016-03-11 01:56 UTC, Daniel	Details

Description Daniel 2016-03-11 01:56:18 UTC

Created attachment 323676 [details]
Screenshot of VPN setup screen

Method:

Using ArchLinuxs' networkmanager-openvpn package ( https://www.archlinux.org/packages/extra/x86_64/networkmanager-openvpn/ ), and attempting to create a new VPN (using GNOME: System Settings > Network > + > VPN > OpenVPN), and selecting "Password" as the authentication type, the dialog refuses to enable the "Add" button after filling out all the relevant fields (with the exception of the CA Certificate field, but that should not be required) - see attachment for a screenshot of the problem.

Reproducibility: Always

Software:
    * Arch Linux, x86_64, GNOME Shell 3.18.4
    * Network Manager: 1.0.10

Thanks

Comment 1 Thomas Haller 2016-03-11 08:20:48 UTC

if you stay with the mouse over the "Add" button, do you see a tooltip message? What does it say?

Comment 2 Daniel 2016-03-11 14:53:49 UTC

(In reply to Thomas Haller from comment #1)
> if you stay with the mouse over the "Add" button, do you see a tooltip
> message? What does it say?

Hi Thomas. There is no tooltip displayed when hovering over the "Add" button. Neither when all fields are filled out, nor when all fields are empty.

Comment 3 Thomas Haller 2016-03-11 16:47:13 UTC

Hi Dnaiel,

I see.

In the screenshot you are using gnome-control-center, but it also happens with nm-connection-editor (both nma-1-0 and master branches).

-- in nm-connection-editor you would see a tooltip telling you that the CA is missing.

Comment 4 Thomas Haller 2016-03-11 16:56:30 UTC

The code in question is here: https://git.gnome.org/browse/network-manager-openvpn/tree/properties/auth-helpers.c?id=7f17349ed949b8c434c1a91f6f828b13822278ac#n514

Comment 5 Dan Williams 2016-03-11 17:13:21 UTC

Unless you're using static-key mode, openvpn clients operate in "tls-client" mode and that appears to require a CA certificate according to the openvpn 2.3.4 source code, per options.c::options_postprocess_verify_ce().

  if (options->tls_server || options->tls_client)
    {
#ifdef ENABLE_PKCS11
      if (options->pkcs11_providers[0])
       {
       }
      else
#endif
#ifdef ENABLE_CRYPTOAPI
     if (options->cryptoapi_cert)
	{
	}
      else
#endif
      if (options->pkcs12_file)
        {
        }
      else
        {
	  if ((!(options->ca_file)) && (!(options->ca_path)))
	    msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");

AFAIK there is no "password only" encrypted mode without TLS.  OpenVPN supports three basic modes: (1) no encryption, (2) static key, or (3) SSL/TLS, and I believe (3)/TLS requires a CA certificate.

Comment 6 Daniel 2016-03-12 04:34:09 UTC

Yeah, I thought this may have been an erroneous bug report after looking up how to set up OpenVPN and it seemed that you needed to generate a CA key to then hand out to users of the VPN.

Just trying to connect to an SSL VPN service for work on Linux and it's turning out to be quite the pain - which is running OpenVPN. All the clients on Windows and Mac just accept the Gateway address, username, and password to connect, but none of the Network Manager clients (should say, all of the Linux clients I have tried) seem to permit this.

Just as an addendum, I should note that in the "Authentication" section of the Network Manager dialog are the following options:
    * Certificates (TLS)
    * Password
    * Password with Certificates (TLS)
    * Static Key

The second "password" option does not have TLS in parenthesis next to it (i.e. implying password only without TLS)? Perhaps just something to clear up in case others come across a similar situation :-)

Kind regards and apologies,
 ~ Daniel.

Comment 7 Thomas Haller 2016-03-12 13:39:57 UTC

(In reply to Daniel from comment #6)
> Just trying to connect to an SSL VPN service for work on Linux and it's
> turning out to be quite the pain - which is running OpenVPN. All the clients
> on Windows and Mac just accept the Gateway address, username, and password
> to connect, but none of the Network Manager clients (should say, all of the
> Linux clients I have tried) seem to permit this.

Doesn't the Windows/Mac clients also use the Openvpn binary? So there shouldn't be a difference there.

Apart from the UI restricion, just for a quick test try to edit the connection in "/etc/NetworkManager/system-connections/$FILE" and remove the CA certificate setting there (followed by a `nmcli connection reload`).
Then nm-openvpn-plugin should still work and just not pass any CA path. Does that work or does openvpn error out due to missing ca-cert?