(Bug?) Zeroshell upgrade 3.6.0>3.7.0 OpenVPN X509+passwor

Forums Network Management ZeroShell (Bug?) Zeroshell upgrade 3.6.0>3.7.0 OpenVPN X509+passwor

  • This topic is empty.
Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
  • #44705

    I think I’ve found a (little, but it made me crazy, I spent a lot of hours on it) bug after I upgraded a ZS 3.6.0 to ZS 3.7.0.

    On this box I have configurated a “OpenVPN Host-to-LAN VPN with X.509, Kerberos 5 and Radius Authentication” with “X509+password” authentication in order to have RoadWarriors to connect to the LAN while out of office.

    Please note:
    – I used connecting from remote with ZS 3.6.0 configuration since months (also the day before upgrading!);
    – I did not change anything before/during/after upgrade
    – Upgrade process to ZS 3.7.0 process went fine without any error or issue.

    But, once remotely after upgrading to ZS 3.7.0, I wasn’t able to reconnect by OpenVPN GUI anymore with “Connection reset, restarting [0]”, “TCP/UDP: Closing socket” and “SIGUSR1[soft,connection-reset] received, process restarting” messages into log file.

    First I thought it was a certificat problem. So (by Remote Desktop from a local server) I renewed (only) users Certificates from Users > [username] > X509 > Revoke and then Renew (validity 3650). But this didn’t fix the problem, also because users Certificates were still valid!

    After a lot of test, I decided to compare a different 3.6.0 installation (another customer) with the upgraded to 3.7.0 one. They’re completely identical regarding OpenVPN configuration.

    I found a little difference in VPN > Section:
    X.509 Configuration > Authentication button. The window is called “Allow the X.509 VPN access with the certificates signed by the following Trusted CAs”.
    On the 3.6.0 the only item, the local ZS CA, was checked/ticked, on the 3.7.0 it wasn’t. I could bet it was checked too on (actual) ZS 3.7.0 box before upgrading.

    So, I simply check it on ZS 3.7.0 and OpenVPN client started working again.

    Next week I will upgrade also the other ZS 3.6.0 box, so I will verify if it is a bug while upgrading or I simply was unlucky with it. But I cannot do it before next week.

    I hope this could help somebody else to save time.

    Thank you for supporting us and to give me a feedback on it!


    Indeed you saved my time: I also got this issue after upgrading from 3.6 to 3.7.
    Fixed it ticking the authentication -> trusted CAs item.

    Thankyou again!



    So, it’s a bug. I hope Fulvio will fix asap.


    due to the way which the new OpenSSL create the hash of the certificates (MD5 -> SHA1) the Trusted CAs signing the certificates authorized to the X.509 access for VPN and captive portal services have to be flagged again.
    Sorry for the inconvenient.


    will we need to check the flag again after EACH upgrade (also from 3.7 to 3.7.1, for example) or this affected only passing to 3.7.0?


    I upgraded 3.7.0 -> 3.7.1 and didn’t need to flag again.
    So I would say the issue only affects * -> 3.7.0 upgrade


    I got the same issue… but very strangely not for all my users…
    migrating then to 3.7.1 and no issues

Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.