Package: network-manager-openvpn-gnome Version: 1.2.8-2 Severity: important
Dear Maintainer, After the upgrade from jessie to stretch, I have been unable to connect to my VPN. The GUI was not able to provide a proper description of the reason. However, the system log revealed that the "tls-remote" option was not recognized, which is useful information. According to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848024 the solution is to fix the local configuration to use "verify-x509-name" instead. If I read the documentation correctly, it should be possible to do this using the nm-connection-editor, by choosing a non-legacy item for the "Server Certificate Check" option. In practice this does not work, because it is not possible to save modifications to existing connections -- the "save" button always remains greyed out. Also creating new OpenVPN connections and saving them is not possible. The only action that works is deleting connections. Hence this bugreport. When trying to edit the connection in the GUI, the log says: "Cannot save connection due to error: Invalid setting VPN: cert-pass" It was possible to edit the connection configuration by hand, as I found out, by editing the corresponding configuration file in /etc/NetworkManager/system-connections/. After editing, it is necessary to reload the connection configuration from disk by running: sudo nmcli conn reload Editing the configuration file has challenges: The mentioned option "cert-pass" did not actually exist in any configuration file. Other existing options like "cert-pass-flags" seem to be undocumented. In any case this is not a regular openvpn configuration file, but has a different set of options. After much trial and error, connecting to the VPN still does not work. The log shows som TLS errors: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed TLS_ERROR: BIO read tls_read_plaintext error TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed How do the different variants of verify-x509-name settings need to be configured in the NetworkManager connection configuration file, when the GUI cannot be used? -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=da_DK.utf8, LC_CTYPE=da_DK.utf8 (charmap=UTF-8), LANGUAGE=da_DK.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages network-manager-openvpn-gnome depends on: ii libatk1.0-0 2.22.0-1 ii libc6 2.24-11+deb9u1 ii libcairo-gobject2 1.14.8-1 ii libcairo2 1.14.8-1 ii libdbus-1-3 1.10.22-0+deb9u1 ii libdbus-glib-1-2 0.108-2 ii libgdk-pixbuf2.0-0 2.36.5-2+deb9u1 ii libglib2.0-0 2.50.3-2 ii libgtk-3-0 3.22.11-1 ii libnm-glib-vpn1 1.6.2-3 ii libnm-glib4 1.6.2-3 ii libnm-gtk0 1.4.4-1 ii libnm-util2 1.6.2-3 ii libnm0 1.6.2-3 ii libnma0 1.4.4-1 ii libpango-1.0-0 1.40.5-1 ii libpangocairo-1.0-0 1.40.5-1 ii libsecret-1-0 0.18.5-3.1 ii network-manager-openvpn 1.2.8-2 network-manager-openvpn-gnome recommends no packages. network-manager-openvpn-gnome suggests no packages. -- no debconf information
