Bug#848024: Fails to connect after upgrade to openvpn 2.4
Package: network-manager-openvpn Version: 1.2.8-2 Followup-For: Bug #848024 The bug is still there in the version 1.2.8-2, because the g|UI for the editing of connection properties still generates the invalid option "tls-remote" always if you want to specify the X509 properties. The problem is concretely in the openvpn configuration, tab VPN (openvpn), then click on "Advanced", then switch to the tab TLS settings. As a first control on this tab is the edit field, where you can put the identification for X509 validation (somethng like "C=cz, L=Praha, O=Some Org, CN=someserver.somedomain.cz, emailAddress=somaeddr...@somedomain.cz") But now, instead of the generating openvpn configuration with the option "verify-X509-name" - on the ovpn configuration should be the line with something like verify-x509-name "C=cz, L=Praha, O=Some Org, CN=someserver.somedomain.cz, emailAddress=someaddr...@somedomain.cz" it still generates the old obsolete form tls-remote "C=cz, L=Praha, O=Some Org, CN=someserver.somedomain.cz, emailAddress=someaddr...@somedomain.cz" The only workaround for this I have found is to let the validation field empty, but then you lose the validation possibility. This should be fixed, there should be generated the correct settings verify-x509-name to the generated ovpn configuration instead of todays tls-remote Possibly there should be also extended the edit dialogue, where should be specified the type parameter behind the name parameter of the tag verify-x509-name - according to the openvpn manual, there can be also specified the type of the X509 name, if omitted, then default is used. -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-0.bpo.3-amd64 (SMP w/2 CPU cores) Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=cs:en_US:de (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages network-manager-openvpn depends on: ii adduser 3.115 ii libc62.24-11+deb9u1 ii libglib2.0-0 2.50.3-2 ii libnm0 1.6.2-3 ii network-manager 1.6.2-3 ii openvpn 2.4.0-6+deb9u1 network-manager-openvpn recommends no packages. network-manager-openvpn suggests no packages. -- no debconf information
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4
On Sat, Dec 17, 2016 at 10:46:46AM +0100, Julien Cristau wrote: > On Tue, Dec 13, 2016 at 19:19:53 +0100, Michael Biebl wrote: > > > Am 13.12.2016 um 18:22 schrieb Michael Biebl: > > > Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=776045 > > > > > > Am 13.12.2016 um 18:02 schrieb Michael Biebl: > > >> Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta: > > >>> Hi there, > > >>> > > >>> The --tls-remote was removed in OpenVPN 2.4, and was already marked as > > >>> DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage: > > >>> > > >>> Please also note: This option is now deprecated. It will be removed > > >>> either in OpenVPN v2.4 or v2.5. So please make sure you support the new > > >>> X.509 name formatting described with the --compat-names option as > > >>> soon as possible by updating your configurations to use > > >>> --verify-x509-name instead. > > >>> > > >>> IMHO this should have been fixed in network-manager-openvpn before 2.4 > > >>> arrived. > > >> > > >> Ok, thanks for the info. > > >> I've cloned this bug report for openvpn. It needs a versioned Breaks > > >> against network-manager-openvpn once a fixed version has been uploaded, > > >> to > > >> avoid breakage on partial uploads. > > >> > > >> I'll ping you once such a version is available. > > > > > > I've blocked the two bugs accordingly and forwarded the issue to upstream. > > > > Looking at https://codesearch.debian.net/search?q=tls-remote > > there are possibly more packages which are affected. > > Have you notified them about this and/or checked that they are not affected? > > > > I'm not sure if it's a bit late at this point of the release cycle to > > introduce such a change in openvpn. I've CCed the release-team on their > > input on this, i.e. whether we want openvpn in stretch 2.4 and how the > > removal of tls-remote should be handled. > > > Now is not the time to make incompatible changes affecting other > packages? How hard would it be to provide backwards compatibility here? Hi Julien, the change does not affect other packages, but setups using a deprecated option. A note will be added to NEWS.Debian. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4
On Tue, Dec 13, 2016 at 19:19:53 +0100, Michael Biebl wrote: > Am 13.12.2016 um 18:22 schrieb Michael Biebl: > > Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=776045 > > > > Am 13.12.2016 um 18:02 schrieb Michael Biebl: > >> Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta: > >>> Hi there, > >>> > >>> The --tls-remote was removed in OpenVPN 2.4, and was already marked as > >>> DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage: > >>> > >>> Please also note: This option is now deprecated. It will be removed > >>> either in OpenVPN v2.4 or v2.5. So please make sure you support the new > >>> X.509 name formatting described with the --compat-names option as > >>> soon as possible by updating your configurations to use > >>> --verify-x509-name instead. > >>> > >>> IMHO this should have been fixed in network-manager-openvpn before 2.4 > >>> arrived. > >> > >> Ok, thanks for the info. > >> I've cloned this bug report for openvpn. It needs a versioned Breaks > >> against network-manager-openvpn once a fixed version has been uploaded, to > >> avoid breakage on partial uploads. > >> > >> I'll ping you once such a version is available. > > > > I've blocked the two bugs accordingly and forwarded the issue to upstream. > > Looking at https://codesearch.debian.net/search?q=tls-remote > there are possibly more packages which are affected. > Have you notified them about this and/or checked that they are not affected? > > I'm not sure if it's a bit late at this point of the release cycle to > introduce such a change in openvpn. I've CCed the release-team on their > input on this, i.e. whether we want openvpn in stretch 2.4 and how the > removal of tls-remote should be handled. > Now is not the time to make incompatible changes affecting other packages? How hard would it be to provide backwards compatibility here? Cheers, Julien
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4
On Tue, Dec 13, 2016 at 11:04:46PM +0100, Michael Biebl wrote: > Am 13.12.2016 um 18:22 schrieb Michael Biebl: > > I've blocked the two bugs accordingly and forwarded the issue to > > upstream. > > This is upstream's response > > > Thomas Haller: > > I don't think there is anything to do. > > > > nm-openvpn already supports the verify-x509-name option, which should > > be used. > > > > > > The problem is for users who have existing connections with > > tls-remote setting. > > > > For example, when you look at your NetworkManager ovpn connection > > (for example, named "MyOVPN"): > > > > $ nmcli connection show "MyVPN" | grep tls-remote > > > > > > openvpn 2.4 breaks backward compatibility by removing the option. > > There is nothing that nm-openvpn can do about it except requiring > > users to fix their configuration. > > > > E.g. the Gnome plugin of nm-openvpn for nm-connection-editor has a > > "Server Certificate Check" combobox. Affected users have to move away > > from the "Verify subject partially (legacy mode)" setting. > > In light of that, I'll close this bug report. > I suggest, openvpn either patches tls-remote support back in (for > stretch) or it adds a NEWS file, telling users to check their VPN > configuration files (including the NetworkManager config) and fix them > up manually. Michael, Indeed, changing that configuration did fix my setup. Thanks! Since NM can detect this situation, could it provide this same advice to the user, even if just via syslog? -dann
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4
Am 13.12.2016 um 18:22 schrieb Michael Biebl: > Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=776045 > > Am 13.12.2016 um 18:02 schrieb Michael Biebl: >> Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta: >>> Hi there, >>> >>> The --tls-remote was removed in OpenVPN 2.4, and was already marked as >>> DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage: >>> >>> Please also note: This option is now deprecated. It will be removed >>> either in OpenVPN v2.4 or v2.5. So please make sure you support the new >>> X.509 name formatting described with the --compat-names option as >>> soon as possible by updating your configurations to use >>> --verify-x509-name instead. >>> >>> IMHO this should have been fixed in network-manager-openvpn before 2.4 >>> arrived. >> >> Ok, thanks for the info. >> I've cloned this bug report for openvpn. It needs a versioned Breaks >> against network-manager-openvpn once a fixed version has been uploaded, to >> avoid breakage on partial uploads. >> >> I'll ping you once such a version is available. > > I've blocked the two bugs accordingly and forwarded the issue to upstream. Looking at https://codesearch.debian.net/search?q=tls-remote there are possibly more packages which are affected. Have you notified them about this and/or checked that they are not affected? I'm not sure if it's a bit late at this point of the release cycle to introduce such a change in openvpn. I've CCed the release-team on their input on this, i.e. whether we want openvpn in stretch 2.4 and how the removal of tls-remote should be handled. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4
Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=776045 Am 13.12.2016 um 18:02 schrieb Michael Biebl: > Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta: >> Hi there, >> >> The --tls-remote was removed in OpenVPN 2.4, and was already marked as >> DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage: >> >> Please also note: This option is now deprecated. It will be removed >> either in OpenVPN v2.4 or v2.5. So please make sure you support the new >> X.509 name formatting described with the --compat-names option as >> soon as possible by updating your configurations to use >> --verify-x509-name instead. >> >> IMHO this should have been fixed in network-manager-openvpn before 2.4 >> arrived. > > Ok, thanks for the info. > I've cloned this bug report for openvpn. It needs a versioned Breaks > against network-manager-openvpn once a fixed version has been uploaded, to > avoid breakage on partial uploads. > > I'll ping you once such a version is available. I've blocked the two bugs accordingly and forwarded the issue to upstream. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Fails to connect after upgrade to openvpn 2.4
Control: clone -1 -2 Control: reassign -2 openvpn 2.4~rc1-1 Control: retitle -2 needs versioned breaks against fixed network-manager-openvpn Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta: > Hi there, > > The --tls-remote was removed in OpenVPN 2.4, and was already marked as > DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage: > > Please also note: This option is now deprecated. It will be removed > either in OpenVPN v2.4 or v2.5. So please make sure you support the new > X.509 name formatting described with the --compat-names option as > soon as possible by updating your configurations to use > --verify-x509-name instead. > > IMHO this should have been fixed in network-manager-openvpn before 2.4 > arrived. Ok, thanks for the info. I've cloned this bug report for openvpn. It needs a versioned Breaks against network-manager-openvpn once a fixed version has been uploaded, to avoid breakage on partial uploads. I'll ping you once such a version is available. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Fails to connect after upgrade to openvpn 2.4
Control: reassign -1 network-manager-openvpn On Tue, Dec 13, 2016 at 04:31:35PM +0100, Michael Biebl wrote: > Control: reassign -1 openvpn > Control: severity -1 serious > Control: affects -1 network-manager-openvpn > > Am 13.12.2016 um 11:33 schrieb dann frazier: > > Package: network-manager-openvpn > > Version: 1.2.6-2 > > Severity: normal > > > > After upgrading to openvpn 2.4~rc1-2, my VPN connection began to fail: > > > > Dec 13 09:49:37 xps13 NetworkManager[738]: Options error: Unrecognized > > option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote > > (2.4_rc1) > > (Options error: Unrecognized option or missing or extra parameter(s) in > > [CMD-LINE]:1: tls-remote (2.4_rc1) > > > > I'm working around this by reverting to openvpn 2.3.11-2. > > > Dear openvpn maintainers, > > could you have a look at this bug report please. > It seems the new openvpn rc release breaks the NetworkManager openvpn > plugin. > I've bumped it to RC, so the package doesn't migrate to testing for now. > > If there is something which needs to be fixed on the > network-manager-openvpn, please clone this bug report or reassign back. > Hi there, The --tls-remote was removed in OpenVPN 2.4, and was already marked as DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage: Please also note: This option is now deprecated. It will be removed either in OpenVPN v2.4 or v2.5. So please make sure you support the new X.509 name formatting described with the --compat-names option as soon as possible by updating your configurations to use --verify-x509-name instead. IMHO this should have been fixed in network-manager-openvpn before 2.4 arrived. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Fails to connect after upgrade to openvpn 2.4
Control: reassign -1 openvpn Control: severity -1 serious Control: affects -1 network-manager-openvpn Am 13.12.2016 um 11:33 schrieb dann frazier: > Package: network-manager-openvpn > Version: 1.2.6-2 > Severity: normal > > After upgrading to openvpn 2.4~rc1-2, my VPN connection began to fail: > > Dec 13 09:49:37 xps13 NetworkManager[738]: Options error: Unrecognized option > or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1) > (Options error: Unrecognized option or missing or extra parameter(s) in > [CMD-LINE]:1: tls-remote (2.4_rc1) > > I'm working around this by reverting to openvpn 2.3.11-2. Dear openvpn maintainers, could you have a look at this bug report please. It seems the new openvpn rc release breaks the NetworkManager openvpn plugin. I've bumped it to RC, so the package doesn't migrate to testing for now. If there is something which needs to be fixed on the network-manager-openvpn, please clone this bug report or reassign back. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#848024: Fails to connect after upgrade to openvpn 2.4
Package: network-manager-openvpn Version: 1.2.6-2 Severity: normal After upgrading to openvpn 2.4~rc1-2, my VPN connection began to fail: Dec 13 09:49:37 xps13 NetworkManager[738]: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1) (Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1) I'm working around this by reverting to openvpn 2.3.11-2. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-rc7-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages network-manager-openvpn depends on: ii adduser 3.115 ii libc62.24-8 ii libglib2.0-0 2.50.2-2 ii libnm0 1.4.2-3 ii network-manager 1.4.2-3 ii openvpn 2.3.11-2 network-manager-openvpn recommends no packages. network-manager-openvpn suggests no packages. -- no debconf information