New to Open VPN - Checked to see if this was asked before and could not find anything - Any help is greatly appreciated
Fri Nov 18 17:19:15 2022 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
Fri Nov 18 17:19:15 2022 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
No server certificate verification method has been enabled
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Fri Nov 18, 2022 11:23 pm
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Re: No server certificate verification method has been enabled
The first warning is about what it says Drop --cipher and use --data-cipher accordingly (I'd suggest to check the manpage, because the syntax is slightly different).
For the secod warning I presume you could check the manpage for --remote-cert-tls, but I am not 100% sure.
For the secod warning I presume you could check the manpage for --remote-cert-tls, but I am not 100% sure.
-
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: No server certificate verification method has been enabled
For the secod warning I presume you could check the manpage for --remote-cert-tls, but I am not 100% sure.
This is make sure you should buy Assess server so you dont get that scare warning about certificate or you will have that warning all time when you use it.
You have make your owe choice . Pay money or let it be.
In order to make it disappear you need changing it in openssl config so it will include SKU extension which preven man middle attack.
Trouble is person who wrote Easy RSA intended leave it warning so people will move to commercial software or you can correct it if you try to learn to use openssl.
This is make sure you should buy Assess server so you dont get that scare warning about certificate or you will have that warning all time when you use it.
You have make your owe choice . Pay money or let it be.
In order to make it disappear you need changing it in openssl config so it will include SKU extension which preven man middle attack.
Trouble is person who wrote Easy RSA intended leave it warning so people will move to commercial software or you can correct it if you try to learn to use openssl.
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Re: No server certificate verification method has been enabled
Please cite your sources when you make such (false) accusations
-
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: No server certificate verification method has been enabled
Why does client connect to open access server will not have that scare warning at all? This is so different between paid version and free community . The same source but the way it work is not.
When use Easy RSA to use openssl to generate certificate in openssl config they just forgot to add " extendedKeyUsage= TLS Web Server Authentication" but this is include in open access server .
That is why peoples dont know how and why. But it is ok for personal use anyway. For business they need to buy paid version for full protection.
Peoples can use XCA to create full certificate and use in openvpn and can add whatever yhey like but take time to learn and use it .
When use Easy RSA to use openssl to generate certificate in openssl config they just forgot to add " extendedKeyUsage= TLS Web Server Authentication" but this is include in open access server .
That is why peoples dont know how and why. But it is ok for personal use anyway. For business they need to buy paid version for full protection.
Peoples can use XCA to create full certificate and use in openvpn and can add whatever yhey like but take time to learn and use it .
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Re: No server certificate verification method has been enabled
because the PKI on Access Server is configured properly automatically.
A user creating his own PKI/configuration may not do the right thing and the warning shows up (not sure why you think it's scary though)
Indeed, if you don't know what you are doing it's easy to end up with something that misses some attribute or something else.
This is true for anything in life..
Again, you can learn what you need to do and do it right, like with everything else.300000 wrote: ↑Fri Dec 02, 2022 9:27 pmThat is why peoples dont know how and why. But it is ok for personal use anyway. For business they need to buy paid version for full protection.
Peoples can use XCA to create full certificate and use in openvpn and can add whatever yhey like but take time to learn and use it .
If you don't want to learn..well, feel free to do what you want