Project

General

Profile

Feature #5602

OpenVPN - certificate purpose validation required

Added by Kill Bill over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Jim Pingle
Category:
OpenVPN
Target version:
2.3
Start date:
12/05/2015
Due date:
% Done:

100%

Estimated time:
Release Notes:
Default

Description

Way too many threads every week with users posting about "my OpenVPN does not work", boiling down to

error=unsupported certificate purpose

I can see cert_get_purpose() in certs.inc, this or some similar function should be used to validate the OpenVPN server/client configuration before letting users save it.

Associated revisions

Revision 0e9d4a6d (diff)
Added by Jim Pingle over 5 years ago

Prioritize and separate server certs for OpenVPN servers to make it more clear they should be using certificates created as Server certificates for this purpose -- it's still valid to use non-server certs but it's not what most people intend to do. Ticket #5602

Revision b2f154ac (diff)
Added by Jim Pingle over 5 years ago

Fix this test. Ticket #5602

Revision a4ba0282 (diff)
Added by Steve Beaver over 5 years ago

Fixed #5602 by dynamically updating hte help text based on the cert selected.

History

#1 Updated by Jim Pingle over 5 years ago

The problem with that is that it's not technically a requirement to use a server cert -- it's only required if the clients verify the server certificate type (which the export package does)

So we could be better about highlighting which certs are server certs (perhaps listing them first or styling them in some way) but we unfortunately we can't stop listing non-server certs there or it could break some setups.

We could also have the export package test the server cert type and omit the directive if they didn't use one, but I'd rather not encourage that practice too much.

#2 Updated by Jim Thompson over 5 years ago

  • Tracker changed from Bug to Feature
  • Assignee set to Jim Pingle

#3 Updated by Jim Pingle over 5 years ago

  • Assignee changed from Jim Pingle to Steve Beaver
  • Priority changed from Normal to Very Low
  • % Done changed from 0 to 80

I pushed a change to separate, identify, and prioritize the servers in the list of certificates on the page. Passing this off to Steve Beaver since he had an idea for printing a pretty warning if they pick the wrong kind.

I'll also look into adding a warning to the OpenVPN client export package in the meantime.

Lowering the priority since the formatting isn't a huge concern now that the rest of the work has been done.

#4 Updated by Steve Beaver over 5 years ago

  • Status changed from New to Feedback
  • Assignee changed from Steve Beaver to Jim Pingle

Dynamically update the help text based on the cert selected.

#5 Updated by Steve Beaver over 5 years ago

  • % Done changed from 80 to 100

#6 Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to Resolved

Looks great, should hopefully be obvious enough to make people realize they did something incorrectly. :-)

Also available in: Atom PDF