Per Jessen wrote:
Bjoern Voigt wrote:
Am 15.05.19 um 10:16 schrieb Per Jessen:
Just a heads-up, maybe we have some openvpn users here? In leap 15.1 we ship openvpn 2.4.5 - this version has a stricter set of checks on the server setup. I don't think there is a way around rebuilding the pki infrastructure - generate a new CA with sha256 signature, then re-issue all client certificates.
There is another issue with OpenVPN 2.4. The OpenVPN client refuses to connect if the specified CRL "crl-verify <crl-filename>" is outdated.
Ah, I haven't hit that one yet. I'm just trying to connect a new client (2.4.5), which seems to mean recreating the entire setup, including some other 50 clients. Bit of a nuisance.
Well, all done. If anyone is interesed - server = 2.3.4 clients = 2.4.3 (not 2.4.5), 2.3.4, 2.0.9 On the server (in easy-rsa/) - update openssl.conf to have "default_md = sha256". Regenerate ca with '-sha256', then regenerate client-certs and distribute. On the clients, I retained "ns-cert-type server", I could not get it work with "remote-cert-tls server" instead. I also added "cipher AES-256-CBC". I have never looked at the CRL - I hope it won't start asking for that, on the newest client. -- Per Jessen, Zürich (12.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org