No server certificate verification method has been enabled

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
aherreraCTG
OpenVpn Newbie
Posts: 1
Joined: Fri Nov 18, 2022 11:23 pm

No server certificate verification method has been enabled

Post by aherreraCTG » Fri Nov 18, 2022 11:24 pm

New to Open VPN - Checked to see if this was asked before and could not find anything - Any help is greatly appreciated

Fri Nov 18 17:19:15 2022 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
Fri Nov 18 17:19:15 2022 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: No server certificate verification method has been enabled

Post by ordex » Tue Nov 29, 2022 9:52 pm

The first warning is about what it says :) Drop --cipher and use --data-cipher accordingly (I'd suggest to check the manpage, because the syntax is slightly different).

For the secod warning I presume you could check the manpage for --remote-cert-tls, but I am not 100% sure.

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: No server certificate verification method has been enabled

Post by 300000 » Wed Nov 30, 2022 9:56 pm

For the secod warning I presume you could check the manpage for --remote-cert-tls, but I am not 100% sure.


This is make sure you should buy Assess server so you dont get that scare warning about certificate or you will have that warning all time when you use it.

You have make your owe choice . Pay money or let it be.

In order to make it disappear you need changing it in openssl config so it will include SKU extension which preven man middle attack.

Trouble is person who wrote Easy RSA intended leave it warning so people will move to commercial software or you can correct it if you try to learn to use openssl.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: No server certificate verification method has been enabled

Post by ordex » Thu Dec 01, 2022 10:40 pm

Please cite your sources when you make such (false) accusations

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: No server certificate verification method has been enabled

Post by 300000 » Fri Dec 02, 2022 9:27 pm

Why does client connect to open access server will not have that scare warning at all? This is so different between paid version and free community . The same source but the way it work is not.

When use Easy RSA to use openssl to generate certificate in openssl config they just forgot to add " extendedKeyUsage= TLS Web Server Authentication" but this is include in open access server .

That is why peoples dont know how and why. But it is ok for personal use anyway. For business they need to buy paid version for full protection.

Peoples can use XCA to create full certificate and use in openvpn and can add whatever yhey like but take time to learn and use it .

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: No server certificate verification method has been enabled

Post by ordex » Sat Dec 03, 2022 9:39 am

300000 wrote:
Fri Dec 02, 2022 9:27 pm
Why does client connect to open access server will not have that scare warning at all? This is so different between paid version and free community . The same source but the way it work is not.
because the PKI on Access Server is configured properly automatically.
A user creating his own PKI/configuration may not do the right thing and the warning shows up (not sure why you think it's scary though)
300000 wrote:
Fri Dec 02, 2022 9:27 pm
When use Easy RSA to use openssl to generate certificate in openssl config they just forgot to add " extendedKeyUsage= TLS Web Server Authentication" but this is include in open access server .
Indeed, if you don't know what you are doing it's easy to end up with something that misses some attribute or something else.
This is true for anything in life..
300000 wrote:
Fri Dec 02, 2022 9:27 pm
That is why peoples dont know how and why. But it is ok for personal use anyway. For business they need to buy paid version for full protection.

Peoples can use XCA to create full certificate and use in openvpn and can add whatever yhey like but take time to learn and use it .
Again, you can learn what you need to do and do it right, like with everything else.
If you don't want to learn..well, feel free to do what you want :-)

Post Reply