network-manager-openvpn lacking support for pkcs12

Bug #91615 reported by Ole-Morten Duesund on 2007-03-12
This bug affects 15 people
Affects Status Importance Assigned to Milestone
Fix Released
One Hundred Papercuts
network-manager-openvpn (Ubuntu)

Bug Description

Binary package hint: network-manager-openvpn

The network-manager-openvpn plugin is great, but it doesn't support connections based on pkcs12 files.
PKCS12 files are a nice way of combining all necessary keys and certificates and makes administration that much easier. Support for this would be very nice!

Alessandro Gervaso (gervystar) wrote :

I agree, I also usually provide a zip file containing the configuration file and a pkcs12 file to my colleagues to access the workplace's network. This would be really useful.

Thomas Schwinge (tschwinge) wrote :

Is there some workaround available here, like using a more recent upstream version?

Thomas Schwinge (tschwinge) wrote :

Okay. Upstream does not (yet?) support that, but I found these instructions to work, i.e. to convert the pkcs12 file to what NetworkManager wants:

    * openssl pkcs12 -nocerts -in default.p12 -out userkey.pem
    * openssl pkcs12 -nokeys -clcerts -in default.p12 -out usercert.pem
    * openssl pkcs12 -nokeys -cacerts -in default.p12 -out userca.pem

Ole-Morten Duesund (olemd) wrote :

Of course there's a workaround. There's always a workaround. But the nice thing with the pkcs12 file is that it's just one file instead of three.

This isn't so much a bug as a feature-request though.

Philipp Kern (pkern) wrote :

So a new edit box needs to be created to feed `--pkcs12' to openvpn, which deactivates ca/key/cert settings. Setting to wishlist.

Changed in network-manager-openvpn:
importance: Undecided → Wishlist
status: New → Confirmed

Did you develop such a pkcs12 box for the network-manager-openvpn?
Or is it planed for Hardy?

ryanmbruce (ryanmbruce) wrote :

I would argue that this is very much a bug. The netman-ovpn gui in Intrepid has an 'import' feature that fails on .ovpn files that reference pkcs12 files because pkcs12 is quietly unsupported. The user is entirely left in the dark. The import only partially works, and the user is left to ponder why the connection will not work.

More important than wishlist, imho. It's a big disconnect that needs to be given more priority than it currently is (last post was over a year ago).

Marcelo Fernandez (fernandezm) wrote :

I agree with you, ryanmbruce!

+1 to change the Importance to "bug".


Andry (andry-korolyuk) wrote :

Yes. It's true. Import does not give any errors or messages and imported configuration has "OK" button disabled on a dialog. No help button and no troubleshoot info available. would be really nice to support pkcs12 as it looks like pretty often used.


yet unfortunately still no change here, 'mon guys, please do this, its just ONE LINE in the config file that achieves this, can't be too hard to implement so;)

This does not affect the usability of the default Ubuntu experience for the majority of users. Also, it constitutes a new feature (new code), not a trivially fixable usability bug. Therefore, it is not a paper cut.

Changed in hundredpapercuts:
status: New → Invalid

@David Siegel not true, as said you only need to add one single parameter in the config file in order to have this working and the graphical interface is there already, so if i am not completely mistaken this should not require much more code lines then an if/else statement;)

Vish (vish) wrote :

A paper cut is a minor usability annoyance that an average user would encounter on his/her first day of using a new installation of Ubuntu 9.10.

For further info about papercuts criteria , pls read >

Don't worry though, This bug has been marked as "invalid" ONLY in the papercuts project. The network-manager part is still active.

andyhull (andyhull) wrote :

Any more thoughts on this?

I consider it a bug. Does it work as you might reasonably expect it to? No. Therefore a bug.

For what its worth, it stops you connecting to Ipcop firewalls.

You can work round it, if you have a bit of OpenVPN knowledge, and the time to mess about, but then again, it should just work out of the box.

Maybe not a paper cut, perhaps more of a banana skin.

Jordan Erickson (lns) wrote :

@andyhull, this is more of a feature request/wishlist item.

I wrote a blog on how to accomplish this - hopefully this can be sort of a primer to get something going directly in nm-ovpn..

Let me know if there's anything more I can provide, this would really be a killer feature.

Jordan, andyhull,

Patches are obviously welcome, though I believe it will be a little more than one line of code in one if statement ;)

I'll see if I can get around to writing a quick patch for this, but this would definitely be something that would benefit from discussion on the NetworkManager mailing list. Once I have something that looks more or less usable I'll post it up there, but you're welcome to bring up the idea on the list now.

At first glance, I'd probably make it a dropdown in the UI to select the certificate type and work from there, but I'm far from a usability expert.

So apparently there was a patch sent today to the mailing list:

I've linked the related bgo 534219.

Changed in network-manager-openvpn:
importance: Unknown → Wishlist
status: Unknown → Fix Released

Closing this bug, as PKCS12 support was added (upstream bug is closed, this should have made it at least as of Lucid...)

Changed in network-manager-openvpn (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.