Page 1 of 1

No server certificate verification method has been enabled

Posted: Mon Jan 23, 2012 12:58 am
by HarvMan
Using Viscosity 1.3.5 (1120) to connect to OpenVPN 2.2.2 on a Synology DS712+ NAS.

Able to connect to VPN for file access and web browsing, no problems at all. However, the OpenVPN log shows "WARNING: No server certificate verification method has been enabled."

Also, how do I resolve subnet issue: "WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]"

(OpenVPN log - IP's etc removed)
Code: Select all
Jan 21 17:28:59: Viscosity 1.3.5 (1120)
Jan 21 17:28:59: Checking reachability status of connection...
Jan 21 17:29:01: Connection is reachable. Starting connection attempt.
Jan 21 17:29:02: OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Jan  4 2012
Jan 21 17:29:28: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Jan 21 17:29:28: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan 21 17:29:28: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 21 17:29:29: LZO compression initialized
Jan 21 17:29:29: UDPv4 link local (bound): [undef]:1194
Jan 21 17:29:29: UDPv4 link remote: xx.xx.xx.xx:1194
Jan 21 17:29:29: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 21 17:29:29: [Snake_Oil_CA] Peer Connection Initiated with xx.xx.xx.xx:1194
Jan 21 17:29:31: TAP-WIN32 device [xxxxxxxxxx] opened: \\.\Global\{65963BF4-6A50-45C7-A0E2-510CCDAB42D1}.tap
Jan 21 17:29:31: Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {65963BF4-6A50-45C7-A0E2-510CCDAB42D1} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Jan 21 17:29:31: Successful ARP Flush on interface [65541] {65963BF4-6A50-45C7-A0E2-510CCDAB42D1}
Jan 21 17:29:36: WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]

Re: No server certificate verification method has been enabl

Posted: Wed Jan 25, 2012 4:01 pm
by James
Hi HarvMan,

It's typically safe to ignore the "WARNING: No server certificate verification method has been enabled" message. It means you don't have the "Require Server nsCertType" option turned on (under the Options tab when editing your connection). You can try turning it on, however the OpenVPN server must have been configured correctly for it to work.

As for the subnet conflict, please see the following support article. While it was originally written for the Mac version, it also applies for Windows users: http://www.thesparklabs.com/support/los ... tivity_on/

Cheers,
James

Re: No server certificate verification method has been enabled

Posted: Tue Sep 01, 2020 8:06 pm
by haraldh
Is it safe to assume that Viscosity still checks that the server certificate is signed with the CA-certificate even though that error occurs in the logs?

Re: No server certificate verification method has been enabled

Posted: Wed Sep 02, 2020 8:58 am
by Eric
Hi haraldh,
Tue Sep 01, 2020 8:06 pmharaldh wrote:
Is it safe to assume that Viscosity still checks that the server certificate is signed with the CA-certificate even though that error occurs in the logs?
Yes this is correct. nsCertType has been depricated, for more information please take a look at the remote-cert-tls command:

https://sparklabs.com/support/kb/articl ... e-cert-tls

This command requires your server and client certificates are generated a certain way to be able to use this command.

Regards,
Eric