Debian Bug report logs - #848024
Fails to connect after upgrade to openvpn 2.4

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Fails to connect after upgrade to openvpn 2.4

Date: Tue, 13 Dec 2016 11:33:13 +0100

Package: network-manager-openvpn
Version: 1.2.6-2
Severity: normal

After upgrading to openvpn 2.4~rc1-2, my VPN connection began to fail:

Dec 13 09:49:37 xps13 NetworkManager[738]: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1)
(Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1)

I'm working around this by reverting to openvpn 2.3.11-2.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-rc7-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages network-manager-openvpn depends on:
ii  adduser          3.115
ii  libc6            2.24-8
ii  libglib2.0-0     2.50.2-2
ii  libnm0           1.4.2-3
ii  network-manager  1.4.2-3
ii  openvpn          2.3.11-2

network-manager-openvpn recommends no packages.

network-manager-openvpn suggests no packages.

-- no debconf information

Message #10 received at 848024@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: dann frazier <dannf@debian.org>, 848024@bugs.debian.org, openvpn@packages.debian.org

Subject: Re: [Pkg-utopia-maintainers] Bug#848024: Fails to connect after upgrade to openvpn 2.4

Date: Tue, 13 Dec 2016 16:31:35 +0100

[Message part 1 (text/plain, inline)]

Control: reassign -1 openvpn
Control: severity -1 serious
Control: affects -1 network-manager-openvpn

Am 13.12.2016 um 11:33 schrieb dann frazier:
> Package: network-manager-openvpn
> Version: 1.2.6-2
> Severity: normal
> 
> After upgrading to openvpn 2.4~rc1-2, my VPN connection began to fail:
> 
> Dec 13 09:49:37 xps13 NetworkManager[738]: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1)
> (Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1)
> 
> I'm working around this by reverting to openvpn 2.3.11-2.


Dear openvpn maintainers,

could you have a look at this bug report please.
It seems the new openvpn rc release breaks the NetworkManager openvpn
plugin.
I've bumped it to RC, so the package doesn't migrate to testing for now.

If there is something which needs to be fixed on the
network-manager-openvpn, please clone this bug report or reassign back.

Regards,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 848024@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: Michael Biebl <biebl@debian.org>

Cc: dann frazier <dannf@debian.org>, 848024@bugs.debian.org

Subject: Re: [Pkg-utopia-maintainers] Bug#848024: Fails to connect after upgrade to openvpn 2.4

Date: Tue, 13 Dec 2016 16:53:50 +0100

Control: reassign -1 network-manager-openvpn

On Tue, Dec 13, 2016 at 04:31:35PM +0100, Michael Biebl wrote:
> Control: reassign -1 openvpn
> Control: severity -1 serious
> Control: affects -1 network-manager-openvpn
> 
> Am 13.12.2016 um 11:33 schrieb dann frazier:
> > Package: network-manager-openvpn
> > Version: 1.2.6-2
> > Severity: normal
> > 
> > After upgrading to openvpn 2.4~rc1-2, my VPN connection began to fail:
> > 
> > Dec 13 09:49:37 xps13 NetworkManager[738]: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1)
> > (Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4_rc1)
> > 
> > I'm working around this by reverting to openvpn 2.3.11-2.
> 
> 
> Dear openvpn maintainers,
> 
> could you have a look at this bug report please.
> It seems the new openvpn rc release breaks the NetworkManager openvpn
> plugin.
> I've bumped it to RC, so the package doesn't migrate to testing for now.
> 
> If there is something which needs to be fixed on the
> network-manager-openvpn, please clone this bug report or reassign back.
> 

Hi there,

The --tls-remote was removed in OpenVPN 2.4, and was already marked as
DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage:

Please  also note: This option is now deprecated.  It will be removed
either in OpenVPN v2.4 or v2.5.  So please make sure you support the new
X.509  name formatting  described  with  the  --compat-names option as
soon as possible by updating your configurations to use
--verify-x509-name instead.

IMHO this should have been fixed in network-manager-openvpn before 2.4
arrived.

Regards,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

Message #34 received at 848024@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Alberto Gonzalez Iniesta <agi@inittab.org>

Cc: dann frazier <dannf@debian.org>, 848024@bugs.debian.org

Subject: Re: [Pkg-utopia-maintainers] Bug#848024: Fails to connect after upgrade to openvpn 2.4

Date: Tue, 13 Dec 2016 18:02:37 +0100

[Message part 1 (text/plain, inline)]

Control: clone -1 -2
Control: reassign -2 openvpn 2.4~rc1-1
Control: retitle -2 needs versioned breaks against fixed network-manager-openvpn

Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta:
> Hi there,
> 
> The --tls-remote was removed in OpenVPN 2.4, and was already marked as
> DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage:
> 
> Please  also note: This option is now deprecated.  It will be removed
> either in OpenVPN v2.4 or v2.5.  So please make sure you support the new
> X.509  name formatting  described  with  the  --compat-names option as
> soon as possible by updating your configurations to use
> --verify-x509-name instead.
> 
> IMHO this should have been fixed in network-manager-openvpn before 2.4
> arrived.

Ok, thanks for the info.
I've cloned this bug report for openvpn. It needs a versioned Breaks
against network-manager-openvpn once a fixed version has been uploaded, to
avoid breakage on partial uploads.

I'll ping you once such a version is available.

Regards,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #45 received at 848024@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Alberto Gonzalez Iniesta <agi@inittab.org>

Cc: 848024@bugs.debian.org

Subject: Re: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4

Date: Tue, 13 Dec 2016 18:22:25 +0100

[Message part 1 (text/plain, inline)]

Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=776045

Am 13.12.2016 um 18:02 schrieb Michael Biebl:
> Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta:
>> Hi there,
>>
>> The --tls-remote was removed in OpenVPN 2.4, and was already marked as
>> DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage:
>>
>> Please  also note: This option is now deprecated.  It will be removed
>> either in OpenVPN v2.4 or v2.5.  So please make sure you support the new
>> X.509  name formatting  described  with  the  --compat-names option as
>> soon as possible by updating your configurations to use
>> --verify-x509-name instead.
>>
>> IMHO this should have been fixed in network-manager-openvpn before 2.4
>> arrived.
> 
> Ok, thanks for the info.
> I've cloned this bug report for openvpn. It needs a versioned Breaks
> against network-manager-openvpn once a fixed version has been uploaded, to
> avoid breakage on partial uploads.
> 
> I'll ping you once such a version is available.

I've blocked the two bugs accordingly and forwarded the issue to upstream.





-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #52 received at 848024@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Alberto Gonzalez Iniesta <agi@inittab.org>

Cc: 848024@bugs.debian.org, debian-release <debian-release@lists.debian.org>

Subject: Re: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4

Date: Tue, 13 Dec 2016 19:19:53 +0100

[Message part 1 (text/plain, inline)]

Am 13.12.2016 um 18:22 schrieb Michael Biebl:
> Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=776045
> 
> Am 13.12.2016 um 18:02 schrieb Michael Biebl:
>> Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta:
>>> Hi there,
>>>
>>> The --tls-remote was removed in OpenVPN 2.4, and was already marked as
>>> DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage:
>>>
>>> Please  also note: This option is now deprecated.  It will be removed
>>> either in OpenVPN v2.4 or v2.5.  So please make sure you support the new
>>> X.509  name formatting  described  with  the  --compat-names option as
>>> soon as possible by updating your configurations to use
>>> --verify-x509-name instead.
>>>
>>> IMHO this should have been fixed in network-manager-openvpn before 2.4
>>> arrived.
>>
>> Ok, thanks for the info.
>> I've cloned this bug report for openvpn. It needs a versioned Breaks
>> against network-manager-openvpn once a fixed version has been uploaded, to
>> avoid breakage on partial uploads.
>>
>> I'll ping you once such a version is available.
> 
> I've blocked the two bugs accordingly and forwarded the issue to upstream.

Looking at https://codesearch.debian.net/search?q=tls-remote
there are possibly more packages which are affected.
Have you notified them about this and/or checked that they are not affected?

I'm not sure if it's a bit late at this point of the release cycle to
introduce such a change in openvpn. I've CCed the release-team on their
input on this, i.e. whether we want openvpn in stretch 2.4 and how the
removal of tls-remote should be handled.

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #59 received at 848024-done@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Alberto Gonzalez Iniesta <agi@inittab.org>

Cc: 848024-done@bugs.debian.org, dann frazier <dannf@debian.org>

Subject: Re: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4

Date: Tue, 13 Dec 2016 23:04:46 +0100

[Message part 1 (text/plain, inline)]

Am 13.12.2016 um 18:22 schrieb Michael Biebl:
> I've blocked the two bugs accordingly and forwarded the issue to
> upstream.

This is upstream's response


Thomas Haller:
> I don't think there is anything to do.
> 
> nm-openvpn already supports the verify-x509-name option, which should
> be used.
> 
> 
> The problem is for users who have existing connections with
> tls-remote setting.
> 
> For example, when you look at your NetworkManager ovpn connection
> (for example, named "MyOVPN"):
> 
> $ nmcli connection show "MyVPN" | grep tls-remote
> 
> 
> openvpn 2.4 breaks backward compatibility by removing the option.
> There is nothing that nm-openvpn can do about it except requiring
> users to fix their configuration.
> 
> E.g. the Gnome plugin of nm-openvpn for nm-connection-editor has a
> "Server Certificate Check" combobox. Affected users have to move away
> from the "Verify subject partially (legacy mode)" setting.

In light of that, I'll close this bug report.
I suggest, openvpn either patches tls-remote support back in (for
stretch) or it adds a NEWS file, telling users to check their VPN
configuration files (including the NetworkManager config) and fix them
up manually.

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #64 received at 848024@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@dannf.org>

To: Michael Biebl <biebl@debian.org>

Cc: Alberto Gonzalez Iniesta <agi@inittab.org>, 848024@bugs.debian.org

Subject: Re: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4

Date: Thu, 15 Dec 2016 09:30:59 +0100

On Tue, Dec 13, 2016 at 11:04:46PM +0100, Michael Biebl wrote:
> Am 13.12.2016 um 18:22 schrieb Michael Biebl:
> > I've blocked the two bugs accordingly and forwarded the issue to
> > upstream.
> 
> This is upstream's response
> 
> 
> Thomas Haller:
> > I don't think there is anything to do.
> > 
> > nm-openvpn already supports the verify-x509-name option, which should
> > be used.
> > 
> > 
> > The problem is for users who have existing connections with
> > tls-remote setting.
> > 
> > For example, when you look at your NetworkManager ovpn connection
> > (for example, named "MyOVPN"):
> > 
> > $ nmcli connection show "MyVPN" | grep tls-remote
> > 
> > 
> > openvpn 2.4 breaks backward compatibility by removing the option.
> > There is nothing that nm-openvpn can do about it except requiring
> > users to fix their configuration.
> > 
> > E.g. the Gnome plugin of nm-openvpn for nm-connection-editor has a
> > "Server Certificate Check" combobox. Affected users have to move away
> > from the "Verify subject partially (legacy mode)" setting.
> 
> In light of that, I'll close this bug report.
> I suggest, openvpn either patches tls-remote support back in (for
> stretch) or it adds a NEWS file, telling users to check their VPN
> configuration files (including the NetworkManager config) and fix them
> up manually.

Michael,
 Indeed, changing that configuration did fix my setup. Thanks!
Since NM can detect this situation, could it provide this same advice
to the user, even if just via syslog?

  -dann

Message #69 received at 848024@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Michael Biebl <biebl@debian.org>

Cc: Alberto Gonzalez Iniesta <agi@inittab.org>, 848024@bugs.debian.org, debian-release <debian-release@lists.debian.org>

Subject: Re: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4

Date: Sat, 17 Dec 2016 10:46:46 +0100

On Tue, Dec 13, 2016 at 19:19:53 +0100, Michael Biebl wrote:

> Am 13.12.2016 um 18:22 schrieb Michael Biebl:
> > Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=776045
> > 
> > Am 13.12.2016 um 18:02 schrieb Michael Biebl:
> >> Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta:
> >>> Hi there,
> >>>
> >>> The --tls-remote was removed in OpenVPN 2.4, and was already marked as
> >>> DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage:
> >>>
> >>> Please  also note: This option is now deprecated.  It will be removed
> >>> either in OpenVPN v2.4 or v2.5.  So please make sure you support the new
> >>> X.509  name formatting  described  with  the  --compat-names option as
> >>> soon as possible by updating your configurations to use
> >>> --verify-x509-name instead.
> >>>
> >>> IMHO this should have been fixed in network-manager-openvpn before 2.4
> >>> arrived.
> >>
> >> Ok, thanks for the info.
> >> I've cloned this bug report for openvpn. It needs a versioned Breaks
> >> against network-manager-openvpn once a fixed version has been uploaded, to
> >> avoid breakage on partial uploads.
> >>
> >> I'll ping you once such a version is available.
> > 
> > I've blocked the two bugs accordingly and forwarded the issue to upstream.
> 
> Looking at https://codesearch.debian.net/search?q=tls-remote
> there are possibly more packages which are affected.
> Have you notified them about this and/or checked that they are not affected?
> 
> I'm not sure if it's a bit late at this point of the release cycle to
> introduce such a change in openvpn. I've CCed the release-team on their
> input on this, i.e. whether we want openvpn in stretch 2.4 and how the
> removal of tls-remote should be handled.
> 
Now is not the time to make incompatible changes affecting other
packages?  How hard would it be to provide backwards compatibility here?

Cheers,
Julien

Message #74 received at 848024@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: Julien Cristau <jcristau@debian.org>

Cc: Michael Biebl <biebl@debian.org>, 848024@bugs.debian.org, debian-release <debian-release@lists.debian.org>

Subject: Re: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4

Date: Sat, 17 Dec 2016 10:58:43 +0100

On Sat, Dec 17, 2016 at 10:46:46AM +0100, Julien Cristau wrote:
> On Tue, Dec 13, 2016 at 19:19:53 +0100, Michael Biebl wrote:
> 
> > Am 13.12.2016 um 18:22 schrieb Michael Biebl:
> > > Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=776045
> > > 
> > > Am 13.12.2016 um 18:02 schrieb Michael Biebl:
> > >> Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta:
> > >>> Hi there,
> > >>>
> > >>> The --tls-remote was removed in OpenVPN 2.4, and was already marked as
> > >>> DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage:
> > >>>
> > >>> Please  also note: This option is now deprecated.  It will be removed
> > >>> either in OpenVPN v2.4 or v2.5.  So please make sure you support the new
> > >>> X.509  name formatting  described  with  the  --compat-names option as
> > >>> soon as possible by updating your configurations to use
> > >>> --verify-x509-name instead.
> > >>>
> > >>> IMHO this should have been fixed in network-manager-openvpn before 2.4
> > >>> arrived.
> > >>
> > >> Ok, thanks for the info.
> > >> I've cloned this bug report for openvpn. It needs a versioned Breaks
> > >> against network-manager-openvpn once a fixed version has been uploaded, to
> > >> avoid breakage on partial uploads.
> > >>
> > >> I'll ping you once such a version is available.
> > > 
> > > I've blocked the two bugs accordingly and forwarded the issue to upstream.
> > 
> > Looking at https://codesearch.debian.net/search?q=tls-remote
> > there are possibly more packages which are affected.
> > Have you notified them about this and/or checked that they are not affected?
> > 
> > I'm not sure if it's a bit late at this point of the release cycle to
> > introduce such a change in openvpn. I've CCed the release-team on their
> > input on this, i.e. whether we want openvpn in stretch 2.4 and how the
> > removal of tls-remote should be handled.
> > 
> Now is not the time to make incompatible changes affecting other
> packages?  How hard would it be to provide backwards compatibility here?

Hi Julien, the change does not affect other packages, but setups
using a deprecated option. A note will be added to NEWS.Debian.

Regards,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

Message #87 received at 848024@bugs.debian.org (full text, mbox, reply):

From: Artur Linhart <Artur.Linhart@centrum.cz>

To: Debian Bug Tracking System <848024@bugs.debian.org>

Subject: Re: Fails to connect after upgrade to openvpn 2.4

Date: Thu, 24 Aug 2017 15:23:23 +0200

Package: network-manager-openvpn
Version: 1.2.8-2
Followup-For: Bug #848024

The bug is still there in the version 1.2.8-2, because the g|UI for the editing
of connection properties still generates the invalid option "tls-remote" always
if you want to specify the X509 properties.

The problem is concretely in the openvpn configuration, tab VPN (openvpn), then
click on "Advanced", then switch to the tab TLS settings.
As a first control on this tab is the edit field, where you can put the
identification for X509 validation
(somethng like "C=cz, L=Praha, O=Some Org, CN=someserver.somedomain.cz,
emailAddress=somaeddress@somedomain.cz")

But now, instead of the generating openvpn configuration with the option
"verify-X509-name" - on the ovpn configuration should be the line with
something like

verify-x509-name "C=cz, L=Praha, O=Some Org, CN=someserver.somedomain.cz,
emailAddress=someaddress@somedomain.cz"

it still generates the old obsolete form

tls-remote "C=cz, L=Praha, O=Some Org, CN=someserver.somedomain.cz,
emailAddress=someaddress@somedomain.cz"

The only workaround for this I have found is to let the validation field empty,
but then you lose the validation possibility.

This should be fixed, there should be generated the correct settings
verify-x509-name
to the generated ovpn configuration instead of todays
tls-remote

Possibly there should be also extended the edit dialogue, where should be
specified the type parameter behind the name parameter of the tag
verify-x509-name - according to the openvpn manual, there can be also specified
the type of the X509 name, if omitted, then default is used.



-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-0.bpo.3-amd64 (SMP w/2 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=cs:en_US:de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages network-manager-openvpn depends on:
ii  adduser          3.115
ii  libc6            2.24-11+deb9u1
ii  libglib2.0-0     2.50.3-2
ii  libnm0           1.6.2-3
ii  network-manager  1.6.2-3
ii  openvpn          2.4.0-6+deb9u1

network-manager-openvpn recommends no packages.

network-manager-openvpn suggests no packages.

-- no debconf information

Send a report that this bug log contains spam.