No server certificate verification method has been enabled

Got a problem with Viscosity or need help? Ask here!

HarvMan

Posts: 3
Joined: Mon Jan 23, 2012 12:28 am

Post by HarvMan » Mon Jan 23, 2012 12:58 am
Using Viscosity 1.3.5 (1120) to connect to OpenVPN 2.2.2 on a Synology DS712+ NAS.

Able to connect to VPN for file access and web browsing, no problems at all. However, the OpenVPN log shows "WARNING: No server certificate verification method has been enabled."

Also, how do I resolve subnet issue: "WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]"

(OpenVPN log - IP's etc removed)
Code: Select all
Jan 21 17:28:59: Viscosity 1.3.5 (1120)
Jan 21 17:28:59: Checking reachability status of connection...
Jan 21 17:29:01: Connection is reachable. Starting connection attempt.
Jan 21 17:29:02: OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Jan  4 2012
Jan 21 17:29:28: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Jan 21 17:29:28: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan 21 17:29:28: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 21 17:29:29: LZO compression initialized
Jan 21 17:29:29: UDPv4 link local (bound): [undef]:1194
Jan 21 17:29:29: UDPv4 link remote: xx.xx.xx.xx:1194
Jan 21 17:29:29: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 21 17:29:29: [Snake_Oil_CA] Peer Connection Initiated with xx.xx.xx.xx:1194
Jan 21 17:29:31: TAP-WIN32 device [xxxxxxxxxx] opened: \\.\Global\{65963BF4-6A50-45C7-A0E2-510CCDAB42D1}.tap
Jan 21 17:29:31: Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {65963BF4-6A50-45C7-A0E2-510CCDAB42D1} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Jan 21 17:29:31: Successful ARP Flush on interface [65541] {65963BF4-6A50-45C7-A0E2-510CCDAB42D1}
Jan 21 17:29:36: WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Jan 25, 2012 4:01 pm
Hi HarvMan,

It's typically safe to ignore the "WARNING: No server certificate verification method has been enabled" message. It means you don't have the "Require Server nsCertType" option turned on (under the Options tab when editing your connection). You can try turning it on, however the OpenVPN server must have been configured correctly for it to work.

As for the subnet conflict, please see the following support article. While it was originally written for the Mac version, it also applies for Windows users: http://www.thesparklabs.com/support/los ... tivity_on/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

haraldh

Posts: 4
Joined: Mon Aug 31, 2020 11:34 pm

Post by haraldh » Tue Sep 01, 2020 8:06 pm
Is it safe to assume that Viscosity still checks that the server certificate is signed with the CA-certificate even though that error occurs in the logs?

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Wed Sep 02, 2020 8:58 am
Hi haraldh,
Tue Sep 01, 2020 8:06 pmharaldh wrote:
Is it safe to assume that Viscosity still checks that the server certificate is signed with the CA-certificate even though that error occurs in the logs?
Yes this is correct. nsCertType has been depricated, for more information please take a look at the remote-cert-tls command:

https://sparklabs.com/support/kb/articl ... e-cert-tls

This command requires your server and client certificates are generated a certain way to be able to use this command.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
4 posts Page 1 of 1