warning: No server certificate verification method enabled
-
eng.mohamed8866
- Posts: 5
- Joined: Tue May 20, 2014 11:13 am
Re: warning: No server certificate verification method enabl
DID you find a solution for it ?
-
thisjun
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: warning: No server certificate verification method enabl
Could you update the server to latest version and re-generate server certificate?
-
thisjun
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: warning: No server certificate verification method enabl
Could you connect to the sever with configuration which is generated by SoftEther?
-
Decentralized Swag
- Posts: 8
- Joined: Sun Mar 01, 2015 2:53 am
Re: warning: No server certificate verification method enabl
This problem still exists today.
Can we have some kind of solution?
Can you confirm that this is simply an error in Softether (in which case we know we have to wait for the fix in the sources), or is this due to some kind of misconfiguration?
I have the exact same problem definition as the original topic starter.
To answer your question, YES, the client does connect with the .ovpn file generated by the Softether server. When it connects, the warning "warning: No server certificate verification method enabled" is displayed.
However, if we then add the settings mentioned above to the client config, we get those errors instead and the client does not connect.
Can we have some kind of solution?
Can you confirm that this is simply an error in Softether (in which case we know we have to wait for the fix in the sources), or is this due to some kind of misconfiguration?
I have the exact same problem definition as the original topic starter.
To answer your question, YES, the client does connect with the .ovpn file generated by the Softether server. When it connects, the warning "warning: No server certificate verification method enabled" is displayed.
However, if we then add the settings mentioned above to the client config, we get those errors instead and the client does not connect.
-
Decentralized Swag
- Posts: 8
- Joined: Sun Mar 01, 2015 2:53 am
Re: warning: No server certificate verification method enabl
Found a solution even though this is definitely a bug in SoftEther.
You guys should fix this.
Workaround:
As per https://www.v13.gr/blog/?p=386,
if you put
remote-cert-tls server
remote-cert-ku f6
into the client OpenVPN config, it kinda works.
The problem here is that OpenVPN expects this special field in the certificate structure (ku) to be set to a certain value. This value is usually used for certificates that are to be used for VPN servers. It makes sense to check this, because if the field is not correct, it is possible that some client (not a VPN server), has gotten a certificate from the same certificate authority that the VPN server itself, and is trying to impersonate the server.
The provided workaround tells OpenVPN not to expect the field to be set correctly, and instead accept the value f6, which is what SoftEther puts in it's own generated certificates.
You guys should fix this.
Workaround:
As per https://www.v13.gr/blog/?p=386,
if you put
remote-cert-tls server
remote-cert-ku f6
into the client OpenVPN config, it kinda works.
The problem here is that OpenVPN expects this special field in the certificate structure (ku) to be set to a certain value. This value is usually used for certificates that are to be used for VPN servers. It makes sense to check this, because if the field is not correct, it is possible that some client (not a VPN server), has gotten a certificate from the same certificate authority that the VPN server itself, and is trying to impersonate the server.
The provided workaround tells OpenVPN not to expect the field to be set correctly, and instead accept the value f6, which is what SoftEther puts in it's own generated certificates.
-
cedar
- Site Admin
- Posts: 2274
- Joined: Sat Mar 09, 2013 5:37 am
Re: warning: No server certificate verification method enabl
In my environment, that error did not reproduce.
What type of OpenVPN shows KU error?
Is it a fatal error, not a warning?
What type of OpenVPN shows KU error?
Is it a fatal error, not a warning?
-
cedar
- Site Admin
- Posts: 2274
- Joined: Sat Mar 09, 2013 5:37 am
Re: warning: No server certificate verification method enabl
I think I can fix it.
Please tell me about the problematic environment.
What version of OpenVPN do you use?
It seems that latest version of OpenVPN (openvpn-install-2.4.1-I601.exe) can connect without problem.
Please tell me about the problematic environment.
What version of OpenVPN do you use?
It seems that latest version of OpenVPN (openvpn-install-2.4.1-I601.exe) can connect without problem.