Hello Patrick, On 11/01/18 17:41, Patrick Schaaf wrote: > Dear openvpn users, > > we've been running an openVPN setup with, among others, android and > iOS clients, for several years now. > > This involves the usual easy-rsa generated client certificate setup, > with an .ovpn file and .p12 key file distributed to our users. > > Recently, this kind of breaks. > > For Android, connections that were working before, timed out. A > reinstall of the .p12 file was able to make it work again. >
not sure why that broke - that part hasn't been touched during the last upgrades. The only thing I can think about is that the App has been migrated to the newest Android API level, therefore I can't rule out that this was the cause for the link to the identity/cert to be lost (but this is just a wild guess). > Meanwhile, iOS clients (e.g. iOS 11.2.1, 11.2.2, openVPN app 1.2.5) > are no longer able to connect at all. The .p12 certificate looks > installed in the keystore, and can be reinstalled properly, but > selecting the certificate says "No certificates are present in the > Ke..." > > The server side did not change at all, recently. We already tried > signing the keys with sha256 instead of md5, also tried with a freshly > created client key, all to no avail. See below for the client config > file we use (IPs and ca content redacted) > > Basic question: is this a known issue, does it happen to others, too, > any idea how to get it to work again? > This is unfortunately a known change in behaviour. In a nutshell: the App now has restricted access to the iOS keychain and can only retrieve items that were imported by the app itself. This means that .p12 files manually imported via Safari/Mail are not accessible by OpenVPN Connect as they are handled by iOS directly. In order to continue supporting the use of the keychain, we had to introduce a new file extension and associate it with OpenVPN Connect: .ovpn12 Therefore, in order to use your PKCS#12 files with OpenVPN Connect on iOS, you need to change their extension from .p12 to .ovpn12 and then proceed as usual. When opening a .ovpn12 file with Safari/Mail OpenVPN Connect will automatically show up and attempt to import the key material. This detail should be covered by this item in our FAQ: https://docs.openvpn.net/faqs/faq-regarding-openvpn-connect-ios/#How_do_I_use_a_client_certificate_and_private_key_from_the_iOS_Keychain Hope this clarifies. Regards, -- Antonio Quartulli OpenVPN Inc.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
