[opensuse] leap 15.1 / openvpn - stricter requirements on the server
Just a heads-up, maybe we have some openvpn users here? In leap 15.1 we ship openvpn 2.4.5 - this version has a stricter set of checks on the server setup. I don't think there is a way around rebuilding the pki infrastructure - generate a new CA with sha256 signature, then re-issue all client certificates. -- Per Jessen, Zürich (6.7°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Just a heads-up, maybe we have some openvpn users here? In leap 15.1 we ship openvpn 2.4.5 - this version has a stricter set of checks on the server setup. I don't think there is a way around rebuilding the pki infrastructure - generate a new CA with sha256 signature, then re-issue all client certificates. There is another issue with OpenVPN 2.4. The OpenVPN client refuses to connect if the specified CRL "crl-verify <crl-filename>" is outdated. The CRL updates can be archived on server computers e.g. with cron jobs or Systemd timers which trigger an CRL update. But it is especially a
Am 15.05.19 um 10:16 schrieb Per Jessen: problem on computers, which are used rarely or which do not have a central management. OCSP can be used as an alternative to CRLs. But OCSP requires a complex setup on OpenVPN servers and clients and there are no production ready open source OCSP servers available (the OpenSSL OCSP responder is meant for demonstration purposes). For Windows OpenVPN clients there are no scripts available for CRL updates or OCSP checks. The Easyrsa team solves the issue with outdated CRLs and OpenVPN 2.4 with a standard CRL expiration time of 10 years. (This works, but makes CRLs less useful.) To summarize, I would recommend to document the OpenVPN 2.4 changes which may break existing setups in the openSUSE 15.1 release notes. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bjoern Voigt wrote:
Am 15.05.19 um 10:16 schrieb Per Jessen:
Just a heads-up, maybe we have some openvpn users here? In leap 15.1 we ship openvpn 2.4.5 - this version has a stricter set of checks on the server setup. I don't think there is a way around rebuilding the pki infrastructure - generate a new CA with sha256 signature, then re-issue all client certificates.
There is another issue with OpenVPN 2.4. The OpenVPN client refuses to connect if the specified CRL "crl-verify <crl-filename>" is outdated.
Ah, I haven't hit that one yet. I'm just trying to connect a new client (2.4.5), which seems to mean recreating the entire setup, including some other 50 clients. Bit of a nuisance.
To summarize, I would recommend to document the OpenVPN 2.4 changes which may break existing setups in the openSUSE 15.1 release notes.
I think that would be a good idea, yes. -- Per Jessen, Zürich (11.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Bjoern Voigt wrote:
Am 15.05.19 um 10:16 schrieb Per Jessen:
Just a heads-up, maybe we have some openvpn users here? In leap 15.1 we ship openvpn 2.4.5 - this version has a stricter set of checks on the server setup. I don't think there is a way around rebuilding the pki infrastructure - generate a new CA with sha256 signature, then re-issue all client certificates.
There is another issue with OpenVPN 2.4. The OpenVPN client refuses to connect if the specified CRL "crl-verify <crl-filename>" is outdated.
Ah, I haven't hit that one yet. I'm just trying to connect a new client (2.4.5), which seems to mean recreating the entire setup, including some other 50 clients. Bit of a nuisance.
Well, all done. If anyone is interesed - server = 2.3.4 clients = 2.4.3 (not 2.4.5), 2.3.4, 2.0.9 On the server (in easy-rsa/) - update openssl.conf to have "default_md = sha256". Regenerate ca with '-sha256', then regenerate client-certs and distribute. On the clients, I retained "ns-cert-type server", I could not get it work with "remote-cert-tls server" instead. I also added "cipher AES-256-CBC". I have never looked at the CRL - I hope it won't start asking for that, on the newest client. -- Per Jessen, Zürich (12.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
To summarize, I would recommend to document the OpenVPN 2.4 changes which may break existing setups in the openSUSE 15.1 release notes. I think that would be a good idea, yes. Unfortunately nobody wrote an OpenVPN comment for the Leap 15.1 release notes. Maybe the change is not important enough.
Does anyone know, how is the process to add something to the release notes? Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Bjoern Voigt -
Per Jessen