Public bug reported:
The OpenVPN plugin for Network Manager does not have any mechanisms to
interpret tls-version-{min,max} directives for OpenVPN.
In Debian upstream, especially in Buster and Unstable, they disable TLS
1.0, 1.1, and 1.2 by default and use only TLS 1.3 by default.
Therefore, with OpenVPN servers that only use TLS 1.2 or older, it is
impossible to establish a tunnel to those locations *unless* you specify
tls-version-{min,max} in the configurations.
This can be done in OVPN files for OpenVPN directly, but there is
currently no mechanism to do this in the GUI.
This is tracked in Debian https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=933177 as the original cause for TLS 1.3 support,
but if Ubuntu ever defaults OpenSSL to not have TLS 1.0-1.2 support
enabled by default, we will be out of luck.
Upstream, GNOME has not yet merged a merge request which would add this
option to the GUI: https://gitlab.gnome.org/GNOME/NetworkManager-
openvpn/merge_requests/15
Testing in Debian, the patch works against NetworkManager OpenVPN there.
I am currently testing these in Focal, Eoan, and Bionic to see if this
is something we can possibly include at a future date to fix this issue
long-term.
In the interim, this tracks the request to get these features in.
** Affects: network-manager-openvpn (Ubuntu)
Importance: Wishlist
Status: Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849573
Title:
No way to specify tls-version-min or tls-version-max, please include
the config options in the GUI config panel.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1849573/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
