Invoking openvpn removed option --tls-remote

Bug #1666912 reported by Dariusz Gadomski
40
This bug affects 8 people
Affects Status Importance Assigned to Milestone
network-manager-openvpn (Debian)
Fix Released
Unknown
network-manager-openvpn (Ubuntu)
Fix Released
High
Unassigned
Zesty
Triaged
High
Unassigned

Bug Description

Upgrading to the latest openvpn breakes already configured VPN connections.

Steps to reproduce:
1. Import an OpenVPN connection via NetworkManager with the tls-remote option used.
2. Try to connect to VPN.

Expected result:
VPN connection is established.

Actual result:
(from syslog)
Feb 22 14:54:48 hostname NetworkManager[8593]: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4.0)
Feb 22 14:54:48 hostname NetworkManager[8593]: Use --help for more information.

ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: network-manager-openvpn 1.2.6-2ubuntu1
ProcVersionSignature: Ubuntu 4.9.0-15.16-generic 4.9.5
Uname: Linux 4.9.0-15-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.4-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity:Unity7
Date: Wed Feb 22 15:06:53 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2016-03-30 (329 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Beta amd64 (20160323)
JournalErrors:
 Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
       Users in the 'systemd-journal' group can see all messages. Pass -q to
       turn off this notice.
 No journal files were opened due to insufficient permissions.
SourcePackage: network-manager-openvpn
UpgradeStatus: Upgraded to zesty on 2016-10-30 (115 days ago)

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :
description: updated
description: updated
Changed in network-manager-openvpn (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

A backport of an upstream-merged workaround for this issue.

The real fix is to manually modify the VPN configurations, but this reduces the impact after upgrading to Zesty.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
Chris Glass (tribaal) wrote :

For people suffering from this, a clean workaround is to change the VPN configuration as follows:

- Edit your VPN connection
- "VPN" tab
- "Advanced"
- "TLS Authentication" tab
- Change the "Server certificate check" to something that is *not* "verify subject partially".

In my case, "Don't verify certificate identity" was chosen since the server's public key is checked anyway.

Revision history for this message
Chris Glass (tribaal) wrote :

An even better fix for your configuration is to change the dropdown to "verify name exactly", and then remove the "CN=" part of the field if you previously had one in your subject match.

Example:

"/CN=example.com" becomes "example.com"

Changed in network-manager-openvpn (Debian):
status: Unknown → Fix Released
Revision history for this message
Sebastien Bacher (seb128) wrote :

Aron, could you look if that change is right?

Changed in network-manager-openvpn (Ubuntu Zesty):
assignee: nobody → Aron Xu (happyaron)
importance: Medium → High
Aron Xu (happyaron)
Changed in network-manager-openvpn (Ubuntu Zesty):
status: Confirmed → In Progress
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

This patch should not be applied as-is; as Chris mentions, the correct thing to do is to modify the settings in the VPN connection.

A valid workaround for n-m-openvpn would require also modifying either the value entered in the dialog to strip out part of the value (anything up and including "CN=") and keeping 'name' as the piece to validate via verify-x509-name; or using "subject" instead, and requiring the use of a fully-formed DN in the dialog.

I think this should be "Won't Fix". It's unfortunate that we are stuck dealing with this fallout in the release, but there doesn't appear to be a foolproof way to transition configs (what is used for "tls-remote" currently is arbitrary, and can vary between installations).

tags: added: patch-needswork
Changed in network-manager-openvpn (Ubuntu Zesty):
status: In Progress → Incomplete
status: Incomplete → Triaged
Aron Xu (happyaron)
Changed in network-manager-openvpn (Ubuntu):
assignee: Aron Xu (happyaron) → nobody
Changed in network-manager-openvpn (Ubuntu Zesty):
assignee: Aron Xu (happyaron) → nobody
Changed in network-manager-openvpn (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager-openvpn - 1.2.10-0ubuntu1

---------------
network-manager-openvpn (1.2.10-0ubuntu1) artful; urgency=medium

  * New upstream version (ffe lp: #1714509)
    - Allow choosing Adaptive or None LZO compression methods in the
      connection properties dialog (lp: #1714509)
    - Add support for dynamic challenge-response protocol
    - Avoid passing the obsolete "tls-remote" option to OpenVPN versions
      that no longer support it and discourage its use in the properties
      dialog (lp: #1666912)

 -- Sebastien Bacher <email address hidden> Fri, 01 Sep 2017 17:01:07 +0200

Changed in network-manager-openvpn (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.