I re-submit the email and this is the ticket:
Ticket#2014030366000572
We have tested and progressively went back through prior ROS versions until we found one where certificate management worked. You have to go back to 6.3. I think someone else mentioned this.
Any release after 6.3 certificate authority certs and keys cannot be properly imported, particularly from self signing in OpenSSL.
Funny thing is that if you install certs in 6.3 and then upgrade the certs remain functional.
I would guess that most of this issues with SSTP, OVPN, SSL etc are related to this issue. We did not notice until now because we were not installing new certificates, just upgrading systems with already installed certificates.
i started with 6.7 on a 2011. self signed. no issues with sstp both in a ptp, and with windows clients
RB433UAH power 24V 2A
RouterOS 6.11rc1 error wireless (load high trafic p/s P2P)
2x error miniPCI card stop working /48hours
version 6.x - 6.10 the same configuration > OK , no error wireless
The certificates work, CAs don’t get imported as CAs.
Another interesting bug affecting all 6.5+ releases (probably earlier also)…
Somehow the route marking stopped working suddenly on my CRS-125 (with 6.7 FW). Rebooted several times from software, tried to fix this, including upgrade to 6.10, downgrade down to 6.5 with no result.
More precisely the packets passed the marking mangle rules but they all went out on the default gateway, not the default one for marked packets.
Now after PULLING THE PLUG on the router and starting it up again, all worked normally with the original configuration.
IMHO this seems to me as a RAM region not wiped out properly on reboot/restart keeping a data corruption in place.
Be more specific what do you mean by “not imported as CA”.
With 6.10 the loadbalancer on my RB2011 does not work properly anymore ( during streaming or opening some websites connection stops / interrupts ) . The setting was configured with 6.3 and continously upgraded . Till 6.9 everything worked really smooth, but 6.10 seems to have some serious bugs,…
Not(!) expression doesn’t work in firewall → filter rules → add → advanced → content section (maybe in other sections too)on ROS 6.10
Upgraded a RB2011UiAS-2HnD without any problems from 6.9 to 6.10.
Upgraded a RB450G with the following problem: upon reboot I had no internet access, I waited for about 2 minutes, tried to log in via web interface, which would not respond, so I rebooted again via serial console. After about a minute later everything was ok. The Log file got erased, but after the first reboot (when the upgrade got applied) over the second one until a web login no faults were recorded in the log. May have been a routing issue.
"Encryption negotiation rejected”
This is a SSTP configuration error, not a bug. Please check your config. I see several people with this config mistake. For the PPP profile that you use in SSTP, turn off encryption, this setting is only used for PPTP. If you have enabled encryption in the PPP profile and use it for SSTP, you will get this error.
If I import a self signed certificate, it works.
But if I import the CA certificate (self issued, PEM, created with easyrsa, works in windows and linux), it is not recognized as root CA certificate (does not show a A besides the T). It is just treated as any other certificate.
If I remember correctly, in early ROS versions, one could set the ca property to yes in the console. This is not possible any more, being a read only property.
As Doc Marcus says, importing at CA does not work correctly. StartSSL CA certs seem to work. CACert CA does not. Self signed certs generated on Windows or Linux under easy-rsa from OpenVPN or from OpenSSL do not work. The certs are not recognized as CA certs, only normal certs and we have issues with negotiating connections under certificated services such as OpenVPN, SSTP etc.
As I posted earlier, certificates import appears to have stopped working with the implementation of 6.4. We did not notice, because upgrades of systems with already installed certs worked fine.
There must be some sort of incompatibilities between the encryption libraries in ROS and the versions of OpenSSL we and CACert are using.
BTW, there are no problems like this with OpenWRT.
This problem is really irritating. Wish that there was some regression testing of ROS before it gets released. It just seems that quality control is left to us users.
May i use ROS 6.10 in RB750 ?
Yes I used it on RB750 basic configuration no problem. For now up time is 15 days.
Another bug: ( http://forum.mikrotik.com/t/userman-bug-cannot-add-limitation-via-console-script/74894/5 )
user-manager profile limitation can not be added via console if the default customer “admin” are renamed.
Adding a profile like “/tool user-manager profile limitation add name=Staff” (etc.) suppose that the owner is admin, the owner of the limitation are not declarable on console.
Thanks to user “beepee” for help me.
Copper SFP-module OptiCin stopped working in v6.10 (but working good in v6.7), just not running in CRS125-24G-1S-2HnD
We use a RB750G at the office.
Generally speaking everything is well, but as in previous posts mentioned we have strange stability problems with VPN connections!
Both with OpenVPN and L2TP/IPSec connections sometimes totally stop working. (In case of OpenVPN there is TLS failed error in LOG which was mentioned by someone else already!) Regarding the L2TP/IPSec VPN connections after a while cannot be establish a connection at all!) To resolve these VPN issues only the reboot the right solution according to my experiences.
Temporary now I went back to RouterOS v6.7, it seems to be the above mentioned VPN issues are gone!
PS.: Just a stupid question, is there any archive where we can find previous RouterOS version for download?!
You can temporary get rid of this TLS error by setting reneg-sec 0 on ovpn server.
Problem will be fixed in next release.
What’s new in 6.11rc1 (2014-Mar-06 15:05):
*) wireless - add auto frequency feature;
What is auto frequency feature? As I can see on my test router it changes frequency but there is
no any explanation how this work exactly (it works too quickly for “complete scan and select the best channel” mode).
What’s new in 6.11rc1 (2014-Mar-06 15:05):
*) ppp - default-encryption bug solved
http://forum.mikrotik.com/t/problem-with-mount-point/94/1
I just tested this build and the bug disappeared.
Where I can download officially beta / release candidate version without googling?
Thanks.