Author Topic: TrustConnect client for RedHat and Ubuntu systems  (Read 46565 times)

Offline fantab

  • Comodo Member
  • **
  • Posts: 44
Re: TrustConnect client for RedHat and Ubuntu systems
« Reply #30 on: October 04, 2015, 07:05:45 AM »
DEPRECATED OPTION: --tls-remote, please update your configuration

I am having problem connecting CTC because of the deprecated --tls-remote option.
I am on Ubuntu 15.04.

OpenVpn seems to have deprecated the '--tls-remote' and consequently CTC is not connecting.

The following from openvpn manpage clarifies that:
Quote
--tls-remote name (DEPRECATED)
    Accept connections only from a host with X509 name or common name equal to name. The remote host must also pass all other tests of verification.

    NOTE: Because tls-remote may test against a common name prefix, only use this option when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option when your client certificates are signed by a third party, such as a commercial web CA.

    Name can also be a common name prefix, for example if you want a client to only accept connections to "Server-1", "Server-2", etc., you can simply use --tls-remote Server

    Using a common name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers.

    --tls-remote is a useful replacement for the --tls-verify option to verify the remote host, because --tls-remote works in a --chroot environment too.

    Please also note: This option is now deprecated. It will be removed either in OpenVPN v2.4 or v2.5. So please make sure you support the new X.509 name formatting described with the --compat-names option as soon as possible by updating your configurations to use --verify-x509-name instead.

--verify-x509-name name type
    Accept connections only if a host's X.509 name is equal to name. The remote host must also pass all other tests of verification.

    Which X.509 name is compared to name depends on the setting of type. type can be "subject" to match the complete subject DN (default), "name" to match a subject RDN or "name-prefix" to match a subject RDN prefix. Which RDN is verified as name depends on the --x509-username-field option. But it defaults to the common name (CN), e.g. a certificate with a subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:

    --verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' and --verify-x509-name Server-1 name or you could use --verify-x509-name Server- name-prefix if you want a client to only accept connections to "Server-1", "Server-2", etc.

    --verify-x509-name is a useful replacement for the --tls-verify option to verify the remote host, because --verify-x509-name works in a --chroot environment without any dependencies.

    Using a name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers.

    NOTE: Test against a name prefix only when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option with type "name-prefix" when your client certificates are signed by a third party, such as a commercial web CA.

I am unable to connect to my free CTC account and I get the following feedback:
Code: [Select]
Sun Oct  4 15:52:59 2015 DEPRECATED OPTION: --tls-remote, please update your configuration
I request the forum to help me make appropriate adjustment to the configuration and get the CTC going...

Regards.

Offline fantab

  • Comodo Member
  • **
  • Posts: 44
Re: TrustConnect client for RedHat and Ubuntu systems
« Reply #31 on: January 03, 2017, 10:36:29 PM »
Hi,
Still need help in updating free_client.conf file to work with openvpn 2.4 in Linux.
Since the latest openvpn upgrade to 2.4 in Linux CTC is unuseable and requires me to upgrade the said file with relavent changes.
 
I hope someone at Comodo can help me now (my previous request went unanswered).
CTC is very valuable to me. Any help is gratefully welcome. Please.
Thanks.

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek