==================================================================
Please DO NOT REPLY to this mail or send email to the developers
about this bug. Please follow-up to Bugzilla using this link:
http://bugs.contribs.org/show_bug.cgi?id=5495
Have you checked the Frequently Asked Questions (FAQ)?
http://wiki.contribs.org/SME_Server:Documentation:FAQ
Please also take the time to read the following useful guide:
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
==================================================================
--- Comment #5 from daniel <[email protected]> 2009-09-29 02:13:42
---
Problem reported:
If we don't use the optional static key (in the certificate configuration
page), the client's config generated by the panel omit the tls-client
directive. This directive is needed for the standard TLS auth mechanism. This
results in this error on the client:
"Options error: Parameter pkcs12_file can only be specified in TLS-mode, i.e.
where --tls-server or --tls-client is also specified."
[r...@sme ~]# rpm -q smeserver-openvpn-bridge
smeserver-openvpn-bridge-2.0-27.el4.sme
Go in the server-manager, configure the certificates, don't use the optional
static key. Validate, and click on the link "Display a functional client
configuration file"
You'll have something like:
rport 1194
proto udp
dev tap
nobind
remote server.somedomain.com
ns-cert-type server
# Replace user.p12 with the certificate
# bundle in PKCS12 format
pkcs12 myown.p12
# You can replace the pkcs12
# directive with the old ones
#ca cacert.pem
#cert user.pem
#key user-key.pem
mtu-test
comp-lzo
pull
Note that the directive tls-client is missing. If you try to use this config
file on a client, you'll have the error message:
"Options error: Parameter pkcs12_file can only be specified in TLS-mode, i.e.
where --tls-server or --tls-client is also specified."
Now update the contrib to the latest version:
[r...@sme ~]# yum --enablerepo=smetest update smeserver-openvpn-bridge
[...]
[r...@sme ~]# rpm -q smeserver-openvpn-bridge
smeserver-openvpn-bridge-2.0-29.el4.sme
Go in the server-manager, and click on the link "Display a functional client
configuration file". You'll see something like:
rport 1194
proto udp
dev tap
nobind
remote server.somedomain.com
tls-client
ns-cert-type server
auth-user-pass
# Replace user.p12 with the certificate
# bundle in PKCS12 format
pkcs12 user.p12
# You can replace the pkcs12
# directive with the old ones
#ca cacert.pem
#cert user.pem
#key user-key.pem
mtu-test
comp-lzo
pull
As you can see, the tls-client directive is present. The config file can be
used by clients.
I let it fixed, if someone else want to verify
--
Configure bugmail: http://bugs.contribs.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at http://lists.contribs.org/mailman/public/contribteam/
