warning: No server certificate verification method enabled

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
eng.mohamed8866
Posts: 5
Joined: Tue May 20, 2014 11:13 am

Re: warning: No server certificate verification method enabl

Post by eng.mohamed8866 » Tue Aug 12, 2014 2:01 pm

DID you find a solution for it ?

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: warning: No server certificate verification method enabl

Post by thisjun » Thu Aug 21, 2014 5:47 am

Could you update the server to latest version and re-generate server certificate?

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: warning: No server certificate verification method enabl

Post by thisjun » Thu Jul 16, 2015 6:13 am

Could you connect to the sever with configuration which is generated by SoftEther?

Decentralized Swag
Posts: 8
Joined: Sun Mar 01, 2015 2:53 am

Re: warning: No server certificate verification method enabl

Post by Decentralized Swag » Sun Mar 19, 2017 5:20 am

This problem still exists today.
Can we have some kind of solution?
Can you confirm that this is simply an error in Softether (in which case we know we have to wait for the fix in the sources), or is this due to some kind of misconfiguration?

I have the exact same problem definition as the original topic starter.
To answer your question, YES, the client does connect with the .ovpn file generated by the Softether server. When it connects, the warning "warning: No server certificate verification method enabled" is displayed.

However, if we then add the settings mentioned above to the client config, we get those errors instead and the client does not connect.

Decentralized Swag
Posts: 8
Joined: Sun Mar 01, 2015 2:53 am

Re: warning: No server certificate verification method enabl

Post by Decentralized Swag » Sun Mar 19, 2017 11:53 pm

Found a solution even though this is definitely a bug in SoftEther.
You guys should fix this.

Workaround:
As per https://www.v13.gr/blog/?p=386,
if you put

remote-cert-tls server
remote-cert-ku f6

into the client OpenVPN config, it kinda works.
The problem here is that OpenVPN expects this special field in the certificate structure (ku) to be set to a certain value. This value is usually used for certificates that are to be used for VPN servers. It makes sense to check this, because if the field is not correct, it is possible that some client (not a VPN server), has gotten a certificate from the same certificate authority that the VPN server itself, and is trying to impersonate the server.
The provided workaround tells OpenVPN not to expect the field to be set correctly, and instead accept the value f6, which is what SoftEther puts in it's own generated certificates.

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: warning: No server certificate verification method enabl

Post by cedar » Fri Apr 07, 2017 9:06 am

In my environment, that error did not reproduce.
What type of OpenVPN shows KU error?
Is it a fatal error, not a warning?

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: warning: No server certificate verification method enabl

Post by cedar » Fri Apr 28, 2017 7:56 am

I think I can fix it.
Please tell me about the problematic environment.
What version of OpenVPN do you use?

It seems that latest version of OpenVPN (openvpn-install-2.4.1-I601.exe) can connect without problem.

Post Reply