Hello.
I am attempting to set up a new openVPN server and client, but the
SSL handshake is failing. I searched and found several references to
this issue, but all except one are several years old and all reference
the now-deprecated ns-cert-type certificate. The one question I found
that attempts to use the recommended remote-cert-tls has had no answer
in over year and a half. What is the proper means of getting this to work?
openvpn.log:
Sat Feb 1 14:42:29 2020 us=722533 192.168.1.1:1194
SIGUSR1[soft,tls-error] received, client-instance restarting
Sat Feb 1 14:54:29 2020 us=628949 MULTI: multi_create_instance called
Sat Feb 1 14:54:29 2020 us=629093 192.168.1.1:1194 Re-using SSL/TLS context
Sat Feb 1 14:54:29 2020 us=629104 192.168.1.1:1194 LZO compression
initializing
Sat Feb 1 14:54:29 2020 us=629168 192.168.1.1:1194 Control Channel MTU
parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Feb 1 14:54:29 2020 us=629177 192.168.1.1:1194 Data Channel MTU
parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Feb 1 14:54:29 2020 us=629205 192.168.1.1:1194 Local Options String
(VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto
UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Feb 1 14:54:29 2020 us=629213 192.168.1.1:1194 Expected Remote
Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu
1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method
2,tls-client'
Sat Feb 1 14:54:29 2020 us=629233 192.168.1.1:1194 TLS: Initial packet
from [AF_INET]192.168.1.1:1194, sid=b12a3399 138996a5
Sat Feb 1 14:54:29 2020 us=650860 192.168.1.1:1194 VERIFY ERROR:
depth=0, error=unsupported certificate purpose: C=US, ST=TX, L=San
Antonio, O=Silicon Ventures, CN=RAID-Array, emailAddress=lesrhorer@xxxxxxx
Sat Feb 1 14:54:29 2020 us=650899 192.168.1.1:1194 OpenSSL:
error:1417C086:SSL routines:tls_process_client_certificate:certificate
verify failed
Sat Feb 1 14:54:29 2020 us=650908 192.168.1.1:1194 TLS_ERROR: BIO read
tls_read_plaintext error
Sat Feb 1 14:54:29 2020 us=650916 192.168.1.1:1194 TLS Error: TLS
object -> incoming plaintext read error
Sat Feb 1 14:54:29 2020 us=650923 192.168.1.1:1194 TLS Error: TLS
handshake failed
Here is the certificate according to openssl:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, ST = TX, L = San Antonio, O = Silicon Ventures,
CN = RAID-Server, emailAddress = lesrhorer@xxxxxxx
Validity
Not Before: Jan 31 22:14:28 2020 GMT
Not After : Jan 28 22:14:28 2030 GMT
Subject: C = US, ST = TX, L = San Antonio, O = Silicon
Ventures, CN = RAID-Array, emailAddress = lesrhorer@xxxxxxx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
<deleted>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
7D:07:5E:0C:68:9B:FE:C6:28:82:7C:17:FC:4D:DB:B3:E6:FE:37:5C
X509v3 Authority Key Identifier:
keyid:58:8F:CA:57:37:71:D2:0D:56:66:D4:6C:35:8F:A8:EE:5C:B6:B5:36
DirName:/C=US/ST=TX/L=San Antonio/O=Silicon
Ventures/CN=RAID-Server/emailAddress=lesrhorer@xxxxxxx
serial:<deleted>
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
<deleted>
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
openssl.cnf:
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
oid_section = new_oids
engines = engine_section
[ new_oids ]
[ ca ]
[ CA_default ]
policy = policy_anything
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s
hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "Easy-RSA Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
[ server ]
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0