← Back to team overview

desktop-packages team mailing list archive

[Bug 1383994] [NEW] OpenVPN connections with supplied server certificate don't use it by default

 

Public bug reported:

I am on Xubuntu 14.04 with the most recent version of network-manager
(up-to-date with apt-get).

I added a TCP OpenVPN connection from a config file with a server
certificate file specified. Today, when looking through my syslog, I
found the following:

  Oct 21 11:20:38 xubuntu-MacAir NetworkManager[14273]: <info> VPN connection 'USA-New York-TCP' (Connect) reply received.
  Oct 21 11:20:38 xubuntu-MacAir nm-openvpn[30726]: OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
  Oct 21 11:20:38 xubuntu-MacAir nm-openvpn[30726]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

The certificate was listed in the main tabs of the network-manager's VPN
config window, confirming that network-manager recognized its presence
in the config file. Upon entering the "Advanced" window, I found that
network-manager was not even attempting to use the certificate. I simply
checked the relevant box, and everything now seems to be working fine.

I feel that this is a bug, especially because the user is not notified
of the warning. I'm reasonably experienced with manual configs, but I
wrongly assumed that adding a server certificate was sufficient to have
it actually used. There must be many users that don't know what a syslog
is, and many more that made the same false assumption I did and never
ventured into their logs to observe OpenVPN.

I suggest that the user get an explicit warning through network-manager
in this case, or that the server certificate be used by default if
supplied by the user.

** Affects: network-manager (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  I am on Xubuntu 14.04 with the most recent version of network-manager
  (up-to-date with apt-get).
  
  I added a TCP OpenVPN connection from a config file with a server
  certificate file specified. Today, when looking through my syslog, I
  found the following:
  
-   Oct 21 11:20:38 xubuntu-MacAir NetworkManager[14273]: <info> VPN connection 'USA-New York-TCP' (Connect) reply received.                                                                              
-   Oct 21 11:20:38 xubuntu-MacAir nm-openvpn[30726]: OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014                                
-   Oct 21 11:20:38 xubuntu-MacAir nm-openvpn[30726]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
+   Oct 21 11:20:38 xubuntu-MacAir NetworkManager[14273]: <info> VPN connection 'USA-New York-TCP' (Connect) reply received.
+   Oct 21 11:20:38 xubuntu-MacAir nm-openvpn[30726]: OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
+   Oct 21 11:20:38 xubuntu-MacAir nm-openvpn[30726]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
  
  The certificate was listed in the main tabs of the network-manager's VPN
- config window. Upon entering the "Advanced" window, I found that the
- certificate was not even attempting to be used. I simply checked the
- relevant box, and everything now seems to be working fine.
+ config window, confirming that network-manager recognized its presence
+ in the config file. Upon entering the "Advanced" window, I found that
+ network-manager was not even attempting to use the certificate. I simply
+ checked the relevant box, and everything now seems to be working fine.
  
  I feel that this is a bug, especially because the user is not notified
  of the warning. I'm reasonably experienced with manual configs, but I
  wrongly assumed that adding a server certificate was sufficient to have
  it actually used. There must be many users that don't know what a syslog
  is, and many more that made the same false assumption I did and never
  ventured into their logs to observe OpenVPN.
  
  I suggest that the user get an explicit warning through network-manager
  in this case, or that the server certificate be used by default if
  supplied by the user.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1383994

Title:
  OpenVPN connections with supplied server certificate don't use it by
  default

Status in “network-manager” package in Ubuntu:
  New

Bug description:
  I am on Xubuntu 14.04 with the most recent version of network-manager
  (up-to-date with apt-get).

  I added a TCP OpenVPN connection from a config file with a server
  certificate file specified. Today, when looking through my syslog, I
  found the following:

    Oct 21 11:20:38 xubuntu-MacAir NetworkManager[14273]: <info> VPN connection 'USA-New York-TCP' (Connect) reply received.
    Oct 21 11:20:38 xubuntu-MacAir nm-openvpn[30726]: OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
    Oct 21 11:20:38 xubuntu-MacAir nm-openvpn[30726]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

  The certificate was listed in the main tabs of the network-manager's
  VPN config window, confirming that network-manager recognized its
  presence in the config file. Upon entering the "Advanced" window, I
  found that network-manager was not even attempting to use the
  certificate. I simply checked the relevant box, and everything now
  seems to be working fine.

  I feel that this is a bug, especially because the user is not notified
  of the warning. I'm reasonably experienced with manual configs, but I
  wrongly assumed that adding a server certificate was sufficient to
  have it actually used. There must be many users that don't know what a
  syslog is, and many more that made the same false assumption I did and
  never ventured into their logs to observe OpenVPN.

  I suggest that the user get an explicit warning through network-
  manager in this case, or that the server certificate be used by
  default if supplied by the user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1383994/+subscriptions


Follow ups

References