–ns-cert-type is DEPRECATED



  • Hi,

    Can't find an answer on the forum. When I start the openvpn client on my laptop, I get a warning in the client logs. Should I do something about this?
    My openvpn package is up to date on the pfsense. Thank you.

    Fri Apr 28 13:02:07 2017 WARNING: –ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.



  • Ignore it, it's just a notice that the option is being renamed and the newer versions (2.3+ I think?) consider the old option as deprecated. They both do the exact same function. Also:

    
    --ns-cert-type client|server (DEPRECATED)
    This option is deprecated. Use the more modern equivalent --remote-cert-tls instead. This option will be removed in OpenVPN 2.5.
    
    

    Edit: There might be some minor differences in what requirements the options imply.  In 2.4 the option is described as:

    
    --remote-cert-tls client|server
    Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.
    
    

    The –ns-cert-type option is probably less strict about the key usage signing.

    This means pfSense should at some point switch to generating client configs that use --remote-cert-tls instead of --ns-cert-type.


  • Rebel Alliance Developer Netgate

    https://redmine.pfsense.org/issues/7498

    I'll get to it soon, had a short and busy week. Should be fairly simple but needs testing.



  • Thanks for the quick and clear answers!


  • LAYER 8 Global Moderator

    If you just want a quick and dirty way to get rid of the error, just change your client config file to not use ns-cert-type, and use the remote-cert-tls server entry.

    So edit your clients config
    #ns-cert-type server
    remote-cert-tls server

    You then should get this when you connect

    Fri Apr 28 11:16:26 2017 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=openvpn
    Fri Apr 28 11:16:26 2017 VERIFY KU OK
    Fri Apr 28 11:16:26 2017 Validating certificate extended key usage
    Fri Apr 28 11:16:26 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Fri Apr 28 11:16:26 2017 VERIFY EKU OK
    Fri Apr 28 11:16:26 2017 VERIFY X509NAME OK: C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=pfsenseopenvpn
    Fri Apr 28 11:16:26 2017 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=pfsenseopenvpn
    Fri Apr 28 11:16:27 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

    This is what I did, I don't like errors in such in my connection logs either ;) hehehe

    But as already mentioned its not really an issue..  But if your giving config files to lots of users, etc.  Then might be a hassle to either edit the configs before giving to them or having them do it..  Sure they will fix it up soon enough.


  • Rebel Alliance Developer Netgate

    New export package is up, give it a shot.


  • LAYER 8 Global Moderator

    Updated package and checked, yup now using

    remote-cert-tls server


Log in to reply