[Pkg-utopia-maintainers] Bug#878439: network-manager-openvpn-gnome: Unable to edit or add VPN connections

Nis Martensen nis.martensen at web.de
Fri Oct 13 18:03:04 UTC 2017 

Package: network-manager-openvpn-gnome
Version: 1.2.8-2
Severity: important

Dear Maintainer,

After the upgrade from jessie to stretch, I have been unable to connect
to my VPN.

The GUI was not able to provide a proper description of the reason.
However, the system log revealed that the "tls-remote" option was not
recognized, which is useful information. According to
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848024
the solution is to fix the local configuration to use "verify-x509-name"
instead.

If I read the documentation correctly, it should be possible to do this
using the nm-connection-editor, by choosing a non-legacy item for the
"Server Certificate Check" option. In practice this does not work,
because it is not possible to save modifications to existing
connections -- the "save" button always remains greyed out. Also
creating new OpenVPN connections and saving them is not possible. The
only action that works is deleting connections.

Hence this bugreport.

When trying to edit the connection in the GUI, the log says:
"Cannot save connection due to error: Invalid setting VPN: cert-pass"



It was possible to edit the connection configuration by hand, as I
found out, by editing the corresponding configuration file in
/etc/NetworkManager/system-connections/. After editing, it is necessary
to reload the connection configuration from disk by running:
sudo nmcli conn reload

Editing the configuration file has challenges: The mentioned option
"cert-pass" did not actually exist in any configuration file. Other
existing options like "cert-pass-flags" seem to be undocumented. In any
case this is not a regular openvpn configuration file, but has a
different set of options.

After much trial and error, connecting to the VPN still does not work.
The log shows som TLS errors:

OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

How do the different variants of verify-x509-name settings need to
be configured in the NetworkManager connection configuration file, when
the GUI cannot be used?


-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=da_DK.utf8, LC_CTYPE=da_DK.utf8 (charmap=UTF-8), LANGUAGE=da_DK.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages network-manager-openvpn-gnome depends on:
ii  libatk1.0-0              2.22.0-1
ii  libc6                    2.24-11+deb9u1
ii  libcairo-gobject2        1.14.8-1
ii  libcairo2                1.14.8-1
ii  libdbus-1-3              1.10.22-0+deb9u1
ii  libdbus-glib-1-2         0.108-2
ii  libgdk-pixbuf2.0-0       2.36.5-2+deb9u1
ii  libglib2.0-0             2.50.3-2
ii  libgtk-3-0               3.22.11-1
ii  libnm-glib-vpn1          1.6.2-3
ii  libnm-glib4              1.6.2-3
ii  libnm-gtk0               1.4.4-1
ii  libnm-util2              1.6.2-3
ii  libnm0                   1.6.2-3
ii  libnma0                  1.4.4-1
ii  libpango-1.0-0           1.40.5-1
ii  libpangocairo-1.0-0      1.40.5-1
ii  libsecret-1-0            0.18.5-3.1
ii  network-manager-openvpn  1.2.8-2

network-manager-openvpn-gnome recommends no packages.

network-manager-openvpn-gnome suggests no packages.

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list