English
Ask Your Question
0

fedora26 cert check openvpn NetworkManager

asked 2017-09-12 10:24:47 +0000

Fedmick gravatar image

updated 2017-09-12 11:27:12 +0000

hhlp gravatar image

Hi there,

I am using fedora26 with the following packages:

NetworkManager-openvpn-1.2.10-1.fc26.x86_64
NetworkManager-team-1.8.2-1.fc26.x86_64
NetworkManager-pptp-gnome-1.2.4-2.fc26.x86_64
NetworkManager-bluetooth-1.8.2-1.fc26.x86_64
NetworkManager-libnm-1.8.2-1.fc26.x86_64
NetworkManager-adsl-1.8.2-1.fc26.x86_64
NetworkManager-openvpn-gnome-1.2.10-1.fc26.x86_64
NetworkManager-l2tp-1.2.8-1.fc26.x86_64
NetworkManager-openconnect-1.2.4-4.fc26.x86_64
NetworkManager-iodine-gnome-1.2.0-2.fc26.x86_64
NetworkManager-glib-1.8.2-1.fc26.x86_64
NetworkManager-wwan-1.8.2-1.fc26.x86_64
NetworkManager-libreswan-1.2.4-2.fc26.x86_64
NetworkManager-vpnc-gnome-1.2.4-2.fc26.x86_64
NetworkManager-libreswan-gnome-1.2.4-2.fc26.x86_64
NetworkManager-pptp-1.2.4-2.fc26.x86_64
NetworkManager-config-connectivity-fedora-1.8.2-1.fc26.noarch
NetworkManager-vpnc-1.2.4-2.fc26.x86_64
NetworkManager-iodine-1.2.0-2.fc26.x86_64
kf5-networkmanager-qt-5.36.0-1.fc26.x86_64
NetworkManager-wifi-1.8.2-1.fc26.x86_64
NetworkManager-l2tp-gnome-1.2.8-1.fc26.x86_64
NetworkManager-1.8.2-1.fc26.x86_64

My problem is that I cannot establish a VPN connection, because of the following error message:

OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting

I went in the settings of the vpn connection and stumbled over the following: PIC

When I set this to not check identity of certificate, the vpn connection is correctly established. But I wonder whats the deal behind this option. I have another system (Ubuntu 16.04) in which I do not have the pull-down-menu at all. Under Ubuntu, I can therefor not see if the identity is checked at all, but under Ubuntu, it works (vpn is established).

So my questions are:

  1. should identity be checked in any case (security issues)?

  2. if yes: is there any possible solution to my problem?

  3. Can I see in logs if identity is checked (I want to cross-check what Ubuntu does)?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2017-09-14 07:25:14 +0000

Fedmick gravatar image

Hi,

thanks for the answer. Is there any easy way to show the certs that are installed system-wide on fedora26? I can then probably compare if the CA cert is installed on the ubuntu system as well and if not, export it on ubuntu and install it on fedora.

Greets!

edit flag offensive delete link more

Comments

The cert should be part of the openvpn configuration, not system-wide. How did you configure the openvpn connection?

Samuel Sieb ( 2017-09-15 00:37:36 +0000 )edit
0

answered 2017-09-13 18:27:50 +0000

Samuel Sieb gravatar image

It's a good idea for security to verify the certificate you receive. You should have the CA certificate available to verify it. That's how I've always done it.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Use your votes!

  • Use the 30 daily voting points that you get!
  • Up-vote well framed questions that provide enough information to enable people provide answers.
  • Thank your helpers by up-voting their comments and answers. If a question you asked has been answered, accept the best answer by clicking on the checkbox on the left side of the answer.
  • Down-voting might cost you karma, but you should consider doing so for incorrect or clearly detrimental questions and answers.

Question Tools

Follow
1 follower

Stats

Asked: 2017-09-12 10:24:47 +0000

Seen: 29 times

Last updated: Sep 14