OpenVPN Failing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



    Hello.

    I am attempting to set up a new openVPN server and client, but the SSL handshake is failing.  I searched and found several references to this issue, but all except one are several years old and all reference the now-deprecated ns-cert-type certificate. The one question I found that attempts to use the recommended remote-cert-tls has had no answer in over  year and a half.  What is the proper means of getting this to work?

openvpn.log:

Sat Feb  1 14:42:29 2020 us=722533 192.168.1.1:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
Sat Feb  1 14:54:29 2020 us=628949 MULTI: multi_create_instance called
Sat Feb  1 14:54:29 2020 us=629093 192.168.1.1:1194 Re-using SSL/TLS context
Sat Feb  1 14:54:29 2020 us=629104 192.168.1.1:1194 LZO compression initializing Sat Feb  1 14:54:29 2020 us=629168 192.168.1.1:1194 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ] Sat Feb  1 14:54:29 2020 us=629177 192.168.1.1:1194 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Sat Feb  1 14:54:29 2020 us=629205 192.168.1.1:1194 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Sat Feb  1 14:54:29 2020 us=629213 192.168.1.1:1194 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Sat Feb  1 14:54:29 2020 us=629233 192.168.1.1:1194 TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=b12a3399 138996a5 Sat Feb  1 14:54:29 2020 us=650860 192.168.1.1:1194 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=US, ST=TX, L=San Antonio, O=Silicon Ventures, CN=RAID-Array, emailAddress=lesrhorer@xxxxxxx Sat Feb  1 14:54:29 2020 us=650899 192.168.1.1:1194 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed Sat Feb  1 14:54:29 2020 us=650908 192.168.1.1:1194 TLS_ERROR: BIO read tls_read_plaintext error Sat Feb  1 14:54:29 2020 us=650916 192.168.1.1:1194 TLS Error: TLS object -> incoming plaintext read error Sat Feb  1 14:54:29 2020 us=650923 192.168.1.1:1194 TLS Error: TLS handshake failed

Here is the certificate according to openssl:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, ST = TX, L = San Antonio, O = Silicon Ventures, CN = RAID-Server, emailAddress = lesrhorer@xxxxxxx
        Validity
            Not Before: Jan 31 22:14:28 2020 GMT
            Not After : Jan 28 22:14:28 2030 GMT
        Subject: C = US, ST = TX, L = San Antonio, O = Silicon Ventures, CN = RAID-Array, emailAddress = lesrhorer@xxxxxxx
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (1024 bit)
                Modulus:
        <deleted>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                Easy-RSA Generated Server Certificate
            X509v3 Subject Key Identifier:
7D:07:5E:0C:68:9B:FE:C6:28:82:7C:17:FC:4D:DB:B3:E6:FE:37:5C
            X509v3 Authority Key Identifier:
keyid:58:8F:CA:57:37:71:D2:0D:56:66:D4:6C:35:8F:A8:EE:5C:B6:B5:36
                DirName:/C=US/ST=TX/L=San Antonio/O=Silicon Ventures/CN=RAID-Server/emailAddress=lesrhorer@xxxxxxx
                serial:<deleted>

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
    Signature Algorithm: sha1WithRSAEncryption

    <deleted>

Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No


openssl.cnf:

HOME            = .
RANDFILE        = $ENV::HOME/.rnd
openssl_conf        = openssl_init

[ openssl_init ]
oid_section        = new_oids
engines                 = engine_section

[ new_oids ]

[ ca ]

[ CA_default ]

policy        = policy_anything

[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ req ]
default_bits        = $ENV::KEY_SIZE
default_keyfile     = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes

string_mask = nombstr

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = $ENV::KEY_COUNTRY
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)
stateOrProvinceName_default    = $ENV::KEY_PROVINCE

localityName            = Locality Name (eg, city)
localityName_default        = $ENV::KEY_CITY

0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = $ENV::KEY_ORG

organizationalUnitName        = Organizational Unit Name (eg, section)

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

emailAddress            = Email Address
emailAddress_default        = $ENV::KEY_EMAIL
emailAddress_max        = 40

organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN

[ req_attributes ]
challengePassword        = A challenge password
challengePassword_min        = 4
challengePassword_max        = 20

unstructuredName        = An optional company name

[ usr_cert ]

basicConstraints=CA:FALSE

nsComment            = "Easy-RSA Generated Certificate"

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature

[ server ]

basicConstraints=CA:FALSE
nsCertType            = server
nsComment            = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment

[ v3_req ]

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

basicConstraints = CA:true

[ crl_ext ]

authorityKeyIdentifier=keyid:always,issuer:always

[ engine_section ]

[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux