OpenVPN server CA should be distinguished as a server certificate. Renewed CA is not. “extendedKeyUsage = critical, serverAuth”
Our engineer are asking how you verified the renewed cert does not have “extendedKeyUsage = critical, serverAuth”, so they can investigate
OpenVPN connection log gives the following warning which has prompted me to import cert and take a closer look. It's not generated with extendedKeyUsage (eku) which is bad... Renewed CA's are currently useless.
"WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."
I'm guessing the default CA is pre-installed and the renewed are being generated by firmware?
CA must be generated with “extendedKeyUsage = critical, serverAuth” and as were using the same CA to export to clients, "“extendedKeyUsage = critical, clientAuth”.
Your OpenVPN client export file should contain the line "remote-cert-eku “TLS Web Server Authentication”" or "remote-cert-tls server"
Our engineer are asking how you verified the renewed cert does not have “extendedKeyUsage = critical, serverAuth”, so they can investigate
OpenVPN connection log gives the following warning which has prompted me to import cert and take a closer look. It's not generated with extendedKeyUsage (eku) which is bad... Renewed CA's are currently useless.
"WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."
I'm guessing the default CA is pre-installed and the renewed are being generated by firmware?
CA must be generated with “extendedKeyUsage = critical, serverAuth” and as were using the same CA to export to clients, "“extendedKeyUsage = critical, clientAuth”.
Your OpenVPN client export file should contain the line "remote-cert-eku “TLS Web Server Authentication”" or "remote-cert-tls server"
I should add if the below line is added to client file as it should be, the connection will fail because the CA isn’t a server certificate.
"remote-cert-tls server"
I've attached screen shots of the differences between the default CA and a Renewed CA. The default CA has no eku so all intended purposes are allowed. However server config should have written: "remote-cert-tls client".
The renewed CA has eku but the server and client intended purposes are missing so are not allowed. Refer to recent post and links of what should be allowed when generated.
You do not have the required permissions to view the files attached to this post.
OpenVPN connection log gives the following warning which has prompted me to import cert and take a closer look. It's not generated with extendedKeyUsage (eku) which is bad... Renewed CA's are currently useless.
"WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."
I'm guessing the default CA is pre-installed and the renewed are being generated by firmware?
CA must be generated with “extendedKeyUsage = critical, serverAuth” and as were using the same CA to export to clients, "“extendedKeyUsage = critical, clientAuth”.
Your OpenVPN client export file should contain the line "remote-cert-eku “TLS Web Server Authentication”" or "remote-cert-tls server"
I should add if the below line is added to client file as it should be, the connection will fail because the CA isn’t a server certificate.
"remote-cert-tls server"
I've attached screen shots of the differences between the default CA and a Renewed CA. The default CA has no eku so all intended purposes are allowed. However server config should have written: "remote-cert-tls client".
The renewed CA has eku but the server and client intended purposes are missing so are not allowed. Refer to recent post and links of what should be allowed when generated.
You do not have the required permissions to view the files attached to this post.
I should add if the below line is added to client file as it should be, the connection will fail because the CA isn’t a server certificate.
"remote-cert-tls server"
I've attached screen shots of the differences between the default CA and a Renewed CA. The default CA has no eku so all intended purposes are allowed. However server config should have written: "remote-cert-tls client".
The renewed CA has eku but the server and client intended purposes are missing so are not allowed. Refer to recent post and links of what should be allowed when generated.
Try using the attached firmware, engineers have said they have added the extendedKeyUsage
You do not have the required permissions to view the files attached to this post.
I've attached screen shots of the differences between the default CA and a Renewed CA. The default CA has no eku so all intended purposes are allowed. However server config should have written: "remote-cert-tls client".
The renewed CA has eku but the server and client intended purposes are missing so are not allowed. Refer to recent post and links of what should be allowed when generated.
Try using the attached firmware, engineers have said they have added the extendedKeyUsage
Thanks. You made us a custom firmware a while back to resolve a separate issue. Unfortunately, the issue persists on the latest Australian public release of the firmware where it’s documented as being fixed so we've stuck with your custom firmware. Would you mind asking your guys to add the extendedKeyUsage to the below firmwares please? I’ll test and report back.
Try using the attached firmware, engineers have said they have added the extendedKeyUsage
Thanks. You made us a custom firmware a while back to resolve a separate issue. Unfortunately, the issue persists on the latest Australian public release of the firmware where it’s documented as being fixed so we've stuck with your custom firmware. Would you mind asking your guys to add the extendedKeyUsage to the below firmwares please? I’ll test and report back.
Try using the attached firmware, engineers have said they have added the extendedKeyUsage
Thanks. You made us a custom firmware a while back to resolve a separate issue. Unfortunately, the issue persists on the latest Australian public release of the firmware where it’s documented as being fixed so we've stuck with your custom firmware. Would you mind asking your guys to add the extendedKeyUsage to the below firmwares please? I’ll test and report back.
I have provided your email to AU support who will contact you regarding AU firmware (in the future use this contact window for any support requests)
I won’t hold my breath! Your renew CA was implemented from my posts and that’s a disappointing response considering pointing out security flaws and efforts made here.
Thanks. You made us a custom firmware a while back to resolve a separate issue. Unfortunately, the issue persists on the latest Australian public release of the firmware where it’s documented as being fixed so we've stuck with your custom firmware. Would you mind asking your guys to add the extendedKeyUsage to the below firmwares please? I’ll test and report back.
I have provided your email to AU support who will contact you regarding AU firmware (in the future use this contact window for any support requests)
I won’t hold my breath! Your renew CA was implemented from my posts and that’s a disappointing response considering pointing out security flaws and efforts made here.
I have provided your email to AU support who will contact you regarding AU firmware (in the future use this contact window for any support requests)
I won’t hold my breath! Your renew CA was implemented from my posts and that’s a disappointing response considering pointing out security flaws and efforts made here.
Haven’t heard from your AU support so what now?
They said they sent a email to post.************@outlook.com.au your registered email address on this forum (maybe it went to your junk folder)
If you are not using this email anymore, let me know your new email address and I'll get them to email you on that
I won’t hold my breath! Your renew CA was implemented from my posts and that’s a disappointing response considering pointing out security flaws and efforts made here.
Haven’t heard from your AU support so what now?
They said they sent a email to post.************@outlook.com.au your registered email address on this forum
If you are not using this email anymore, let me know your new email address and I'll get them to email you on that
Got nothing. Checked spam. I get your notices to this email. Another email would be same without “post.”
I’d like to get this resolved please. Is it not possible your guys can adjust files as you’ve done in the past with dongle routing issue which got sorted?
