–ns-cert-type is DEPRECATED
-
Hi,
Can't find an answer on the forum. When I start the openvpn client on my laptop, I get a warning in the client logs. Should I do something about this?
My openvpn package is up to date on the pfsense. Thank you.Fri Apr 28 13:02:07 2017 WARNING: –ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
-
Ignore it, it's just a notice that the option is being renamed and the newer versions (2.3+ I think?) consider the old option as deprecated. They both do the exact same function. Also:
--ns-cert-type client|server (DEPRECATED) This option is deprecated. Use the more modern equivalent --remote-cert-tls instead. This option will be removed in OpenVPN 2.5.
Edit: There might be some minor differences in what requirements the options imply. In 2.4 the option is described as:
--remote-cert-tls client|server Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.
The –ns-cert-type option is probably less strict about the key usage signing.
This means pfSense should at some point switch to generating client configs that use --remote-cert-tls instead of --ns-cert-type.
-
https://redmine.pfsense.org/issues/7498
I'll get to it soon, had a short and busy week. Should be fairly simple but needs testing.
-
Thanks for the quick and clear answers!
-
If you just want a quick and dirty way to get rid of the error, just change your client config file to not use ns-cert-type, and use the remote-cert-tls server entry.
So edit your clients config
#ns-cert-type server
remote-cert-tls serverYou then should get this when you connect
Fri Apr 28 11:16:26 2017 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=openvpn
Fri Apr 28 11:16:26 2017 VERIFY KU OK
Fri Apr 28 11:16:26 2017 Validating certificate extended key usage
Fri Apr 28 11:16:26 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Apr 28 11:16:26 2017 VERIFY EKU OK
Fri Apr 28 11:16:26 2017 VERIFY X509NAME OK: C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=pfsenseopenvpn
Fri Apr 28 11:16:26 2017 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=pfsenseopenvpn
Fri Apr 28 11:16:27 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSAThis is what I did, I don't like errors in such in my connection logs either ;) hehehe
But as already mentioned its not really an issue.. But if your giving config files to lots of users, etc. Then might be a hassle to either edit the configs before giving to them or having them do it.. Sure they will fix it up soon enough.
-
New export package is up, give it a shot.
-
Updated package and checked, yup now using
remote-cert-tls server