The blog post about the core 145 update at:
mentions an update for openvpn to 2.4.9.
After installing the update successfully, the openvpn version appears to still be 2.4.8.
Did the update to 2.4.9 make it into the released version of 145?
indeed, it seems like we forgot to ship OpenVPN:
[root@firewall ~]# openvpn --version
OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 14 2019
library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.09
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <email@example.com>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
Could you please open up a bug at https://bugzilla.ipfire.org/ so we can keep track of this? Your login credentials work there as well.
Thanks, and best regards,
It looks like someone filed a report yesterday so I didn’t submit a duplicate bug report.
Could this be the reason for this error?
Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.
All OpenVPN clients needs then to be renewed!
Everything is still working, but it’s a bit disconcerting.
Should one hold off for the fix, or will this not go away?
I’m not very enthusiastic about having to recreating all certificates from scratch
this is not really related to this topic. ‘–ns-cert-type’ is deprecated and will be removed from OpenVPN with version 2.5.x which should come in august this year. This directive will be replaced with ‘–remote-cert-tls’ which involves also changes in the certificates. More in depth informations can be found in here --> https://forum.ipfire.org/viewtopic.php?f=50&t=18852&p=108777&hilit=RFC3280#p108144 .
OpenVPN will work until the update to 2.5 regarding OpenVPNs manpage (which is linked in the topic above) after that problems (to no function) will appear !!! This warnings appears since Core 123 which is now kind of long ago, this warning is now kind of urgent. It seems that there is also another solution --> Solved: Manual repair PKI on OpenVPN RFC3280 issue but i didn´t used that one and can´t say if it is working properly also, a renewal of the PKI might be a good idea especially if there are some old crypto stuff involved (SHA1, 1024bit key lengths ).