OpenVPN Failing

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenVPN Failing

Leslie Rhorer
     Hello.

     I am attempting to set up a new openVPN server and client, but the
SSL handshake is failing.  I searched and found several references to
this issue, but all except one are several years old and all reference
the now-deprecated ns-cert-type certificate. The one question I found
that attempts to use the recommended remote-cert-tls has had no answer
in over  year and a half.  What is the proper means of getting this to work?

openvpn.log:

Sat Feb  1 14:42:29 2020 us=722533 192.168.1.1:1194
SIGUSR1[soft,tls-error] received, client-instance restarting
Sat Feb  1 14:54:29 2020 us=628949 MULTI: multi_create_instance called
Sat Feb  1 14:54:29 2020 us=629093 192.168.1.1:1194 Re-using SSL/TLS context
Sat Feb  1 14:54:29 2020 us=629104 192.168.1.1:1194 LZO compression
initializing
Sat Feb  1 14:54:29 2020 us=629168 192.168.1.1:1194 Control Channel MTU
parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Feb  1 14:54:29 2020 us=629177 192.168.1.1:1194 Data Channel MTU
parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Feb  1 14:54:29 2020 us=629205 192.168.1.1:1194 Local Options String
(VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto
UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Feb  1 14:54:29 2020 us=629213 192.168.1.1:1194 Expected Remote
Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu
1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method
2,tls-client'
Sat Feb  1 14:54:29 2020 us=629233 192.168.1.1:1194 TLS: Initial packet
from [AF_INET]192.168.1.1:1194, sid=b12a3399 138996a5
Sat Feb  1 14:54:29 2020 us=650860 192.168.1.1:1194 VERIFY ERROR:
depth=0, error=unsupported certificate purpose: C=US, ST=TX, L=San
Antonio, O=Silicon Ventures, CN=RAID-Array, emailAddress=[hidden email]
Sat Feb  1 14:54:29 2020 us=650899 192.168.1.1:1194 OpenSSL:
error:1417C086:SSL routines:tls_process_client_certificate:certificate
verify failed
Sat Feb  1 14:54:29 2020 us=650908 192.168.1.1:1194 TLS_ERROR: BIO read
tls_read_plaintext error
Sat Feb  1 14:54:29 2020 us=650916 192.168.1.1:1194 TLS Error: TLS
object -> incoming plaintext read error
Sat Feb  1 14:54:29 2020 us=650923 192.168.1.1:1194 TLS Error: TLS
handshake failed

Here is the certificate according to openssl:

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C = US, ST = TX, L = San Antonio, O = Silicon Ventures,
CN = RAID-Server, emailAddress = [hidden email]
         Validity
             Not Before: Jan 31 22:14:28 2020 GMT
             Not After : Jan 28 22:14:28 2030 GMT
         Subject: C = US, ST = TX, L = San Antonio, O = Silicon
Ventures, CN = RAID-Array, emailAddress = [hidden email]
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 RSA Public-Key: (1024 bit)
                 Modulus:
         <deleted>
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Cert Type:
                 SSL Server
             Netscape Comment:
                 Easy-RSA Generated Server Certificate
             X509v3 Subject Key Identifier:
7D:07:5E:0C:68:9B:FE:C6:28:82:7C:17:FC:4D:DB:B3:E6:FE:37:5C
             X509v3 Authority Key Identifier:
keyid:58:8F:CA:57:37:71:D2:0D:56:66:D4:6C:35:8F:A8:EE:5C:B6:B5:36
                 DirName:/C=US/ST=TX/L=San Antonio/O=Silicon
Ventures/CN=RAID-Server/emailAddress=[hidden email]
                 serial:<deleted>

             X509v3 Extended Key Usage:
                 TLS Web Server Authentication
             X509v3 Key Usage:
                 Digital Signature, Key Encipherment
     Signature Algorithm: sha1WithRSAEncryption

     <deleted>

Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No


openssl.cnf:

HOME            = .
RANDFILE        = $ENV::HOME/.rnd
openssl_conf        = openssl_init

[ openssl_init ]
oid_section        = new_oids
engines                 = engine_section

[ new_oids ]

[ ca ]

[ CA_default ]

policy        = policy_anything

[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ req ]
default_bits        = $ENV::KEY_SIZE
default_keyfile     = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes

string_mask = nombstr

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = $ENV::KEY_COUNTRY
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)
stateOrProvinceName_default    = $ENV::KEY_PROVINCE

localityName            = Locality Name (eg, city)
localityName_default        = $ENV::KEY_CITY

0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = $ENV::KEY_ORG

organizationalUnitName        = Organizational Unit Name (eg, section)

commonName            = Common Name (eg, your name or your server\'s
hostname)
commonName_max            = 64

emailAddress            = Email Address
emailAddress_default        = $ENV::KEY_EMAIL
emailAddress_max        = 40

organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN

[ req_attributes ]
challengePassword        = A challenge password
challengePassword_min        = 4
challengePassword_max        = 20

unstructuredName        = An optional company name

[ usr_cert ]

basicConstraints=CA:FALSE

nsComment            = "Easy-RSA Generated Certificate"

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature

[ server ]

basicConstraints=CA:FALSE
nsCertType            = server
nsComment            = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment

[ v3_req ]

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

basicConstraints = CA:true

[ crl_ext ]

authorityKeyIdentifier=keyid:always,issuer:always

[ engine_section ]

[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0


Reply | Threaded
Open this post in threaded view
|

Re: OpenVPN Failing

Matt Caswell-2


On 01/02/2020 21:10, Leslie Rhorer wrote:
> Sat Feb  1 14:54:29 2020 us=650860 192.168.1.1:1194 VERIFY ERROR:
> depth=0, error=unsupported certificate purpose: C=US, ST=TX, L=San
> Antonio, O=Silicon Ventures, CN=RAID-Array, emailAddress=[hidden email]
> Sat Feb  1 14:54:29 2020 us=650899 192.168.1.1:1194 OpenSSL:
> error:1417C086:SSL routines:tls_process_client_certificate:certificate
> verify failed

The error occurs processing the client certificate with an unsupported
purpose.

>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication

It's a client certificate but the key usage is for server authentication!?


> extendedKeyUsage=serverAuth

Perhaps try clientAuth?

Matt