OpenVPN ignore rules should silence certificate validation messages
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
logcheck (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Using "remote-cert-tls server" in a client configuration results in the following log messages being reported :
Jul 5 15:39:44 simon-laptop openvpn[9228]: ++ Certificate has key usage 00a0, expects 00a0
Jul 5 15:39:44 simon-laptop openvpn[9228]: VERIFY KU OK
Jul 5 15:39:44 simon-laptop openvpn[9228]: Validating certificate extended key usage
Jul 5 15:39:44 simon-laptop openvpn[9228]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jul 5 15:39:44 simon-laptop openvpn[9228]: VERIFY EKU OK
Jul 5 15:39:44 simon-laptop openvpn[9228]: VERIFY X509NAME OK: /C=*****/<email address hidden>
Using "remote-cert-tls client" in a server configuration results in similar log output. I think this is something that should be ignored when the key usage matches the expectation. Here is a suggested solution :
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|
Those rules should be added to /etc/logcheck/
$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04
$ apt-cache policy logcheck-database
logcheck-database:
Installed: 1.3.13
Candidate: 1.3.13
Version table:
*** 1.3.13 0
500 http://
100 /var/lib/
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: logcheck-database 1.3.13
ProcVersionSign
Uname: Linux 2.6.38-10-generic x86_64
Architecture: amd64
Date: Wed Jul 6 08:34:38 2011
Dependencies:
PackageArchitec
ProcEnviron:
LANGUAGE=en_US:en
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: logcheck
UpgradeStatus: No upgrade log present (probably fresh install)
tags: | removed: amd64 |
Changed in logcheck (Ubuntu): | |
status: | New → Fix Released |
Would you mind sending your updated rules directly upstream? wiki.logcheck. org/RuleSubmiss ion
http://
Thanks!