Discussion:
[Openvpn-users] "remote-cert-tls server" does not work
Joe Pipo
2008-09-21 20:08:46 UTC
Permalink
Hi,I am using OpenVPN 2.1_rc11 and, following the how-to, trying to use "remote-cert-tls server", but this does not work.Here are the details (on Windows XP-SP2):Setup flow:===========init-configvarsclean-allbuild-cabuild-key-server serverbuild-dhopenvpn --genkey --secret keys\ta.keybuild-key clientServer config:==============port 1194proto udpdev tunca ca.crtcert server.crtkey server.keydh dh1024.pemserver 10.9.8.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "route 10.11.12.0 255.255.255.0"tls-auth ta.key 0comp-lzopersist-keypersist-tunstatus openvpn-status.logverb 3
Server files:=============ca.crtdh1024.pemserver.crtserver.keyta.key

Client config:==============clientdev tunproto udpremote the.remote.IP.comresolv-retry infinitenobindpersist-keypersist-tunmute-replay-warningsca ca.crtcert client.crtkey client.keyremote-cert-tls servertls-auth ta.key 1comp-lzoverb 3
Client files:=============ca.crtclient.crtclient.keyta.key
If "remote-cert-tls server", is removed, it works.
Can you tell me what is wrong ?
Thank you very much.
_________________________________________________________________
Téléphonez gratuitement à tous vos proches avec Windows Live Messenger  !  Téléchargez-le maintenant !
http://www.windowslive.fr/messenger/1.asp
Alon Bar-Lev
2008-09-24 05:52:34 UTC
Permalink
Hello,

Please send the relevant log message while verb is 255.
Please attach the server certificate.

Alon.
Post by Joe Pipo
Hi,
I am using OpenVPN 2.1_rc11 and, following the how-to, trying to use
"remote-cert-tls server", but this does not work.
===========
init-config
vars
clean-all
build-ca
build-key-server server
build-dh
openvpn --genkey --secret keys\ta.key
build-key client
==============
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.9.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.11.12.0 255.255.255.0"
tls-auth ta.key 0
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
=============
ca.crt
dh1024.pem
server.crt
server.key
ta.key
==============
client
dev tun
proto udp
remote the.remote.IP.com
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
comp-lzo
verb 3
=============
ca.crt
client.crt
client.key
ta.key
If "remote-cert-tls server", is removed, it works.
Can you tell me what is wrong ?
Thank you very much.
________________________________
Votre correspondant a choisi Hotmail et profite d'un stockage quasiment
illimité. Créez un compte Hotmail gratuitement !
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Openvpn-users mailing list
https://lists
Dave
2008-09-25 12:01:08 UTC
Permalink
. ..
I am using OpenVPN 2.1_rc11 and, following the how-to, trying to use
"remote-cert-tls server", but this does not work.

Here are the details (on Windows XP-SP2):

Setup flow:
===========
init-config
vars
clean-all
build-ca
build-key-server server
build-dh
openvpn --genkey --secret keys\ta.key

build-key client
...

Client config:
==============
...
remote-cert-tls server
...
If "remote-cert-tls server", is removed, it works.

Can you tell me what is wrong ?


Sure, here's what's wrong: the easy RSA scripts do not produce certs that
can be used with the 'remote-cert-tls' features. The reason is that they do
not specify the 'key usage' or 'extended key usage' attributes.

I don't personally use easyRSA anymore, so I can't say what you would do to
change it, but I would suspect it's in the configuration file created by
init-config where you would have to modify.

Also, fair warning: the key usage and extended key usage must
_exactly_and_precisely_ match the usages indicated by

--remote-cert-ku
--remote-cert-eku

or the macro:

--remote-cert-tls client|server

meaning that what is indicated by the options is not a bitmask. So if you
have other key usages attached to that cert, then verification will fail.
You must _only_ have the usages specified in these options.

you can see what options are on your cert by executing

openssl x509 -noout -text -in certname.crt

I have attached 3 certs as examples of things that do and don't work.

chunky_vpn_server.crt - was created from easyRSA some years back -- doesn't
work
WRT54GLeku_server.cert - has needed usage, but also others -- doesn't work
WRT54GLeku_server_2.crt - has exact usage specified -- WORKS

To further add to the pain, the
--remote-cert-ku
usage is in hex, rather than human readable symbolics, and it's a
bit-string. I believe the following is correct for a two-byte bit-string:
Digital Signature 0x80
Non Repudiation 0x40
Key Encipherment 0x20
Data Encipherment 0x10
Key Agreement 0x08
Certificate Sign 0x04
CRL Sign 0x02
Encipher Only 0x01
(there's a Decipher Only as well, which I believe will add an 0x80 byte to
the end, but not sure).

-Dave
Joe Pipo
2008-09-25 23:12:33 UTC
Permalink
"
Sure, here's what's wrong: the easy RSA scripts do not produce certs that can be used with the 'remote-cert-tls' features. The reason is that they do not specify the 'key usage' or 'extended key usage' attributes.
"
Hi Dave,

thanks a lot. It clarifies the first aspect of the issue.I had a close look to the easy-rsa scripts, and I am now able to add keyUsage and extendedKeyUsage information.

Now, the final step is to know what to include to match the "remote-cert-tls server" on the client side and "remote-cert-tls client" on the server side.
Do you know which settings I should use for keyUsage and extendedKeyUsage to match the remote-cert-tls settings ?

Thank you !
_________________________________________________________________
Téléphonez gratuitement à tous vos proches avec Windows Live Messenger  !  Téléchargez-le maintenant ! 
http://www.windowslive.fr/messenger/1.asp
Alon Bar-Lev
2008-09-26 06:33:00 UTC
Permalink
You can look at easy-rsa-2.0 openssl.cnf file.
Post by Dave
"
Sure, here's what's wrong: the easy RSA scripts do not produce certs that
can be used with the 'remote-cert-tls' features. The reason is that they do
not specify the 'key usage' or 'extended key usage' attributes.
"
Hi Dave,
thanks a lot. It clarifies the first aspect of the issue.
I had a close look to the easy-rsa scripts, and I am now able to add
keyUsage and extendedKeyUsage information.
Now, the final step is to know what to include to match the "remote-cert-tls
server" on the client side and "remote-cert-tls client" on the server side.
Do you know which settings I should use for keyUsage and extendedKeyUsage to
match the remote-cert-tls settings ?
Thank you !
________________________________
Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile
!
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinf
Alon Bar-Lev
2008-09-25 18:24:11 UTC
Permalink
Post by Dave
I don't personally use easyRSA anymore, so I can't say what you would do to
change it, but I would suspect it's in the configuration file created by
init-config where you would have to modify.
I believe that the easy-rsa-2.0 was updated to issue certificates correctly.

Alon.
Joe Pipo
2008-10-04 22:57:14 UTC
Permalink
Hi,

thanks to the support of Alon and Dave, it's working now.

easy-rsa2.0 is not provided with the standard download of OpenVPN. I had to look into the source code to find which settings to put to the keyUsage and extendedKeyUsage. I modified the easy-rsa (the one provided in the download package) in such a way:

Modify openssl.cnf.sample-> add in [usr_cert]extendedKeyUsage=clientAuthkeyUsage = digitalSignature-> add in [server]extendedKeyUsage=serverAuthkeyUsage = digitalSignature, keyEncipherment
then used the standard procedure to generate the server and clients keys.

A modification of the How-To of the OpenVPN pages, showing these modifications, would help non-experts like me to properly configure these certificates. I hope this post will help more people as there is a solution posted now.

Thanks again !
_________________________________________________________________
Téléphonez gratuitement à tous vos proches avec Windows Live Messenger  !  Téléchargez-le maintenant ! 
http://www.windowslive.fr/messenger/1.asp
Alon Bar-Lev
2008-10-07 20:43:15 UTC
Permalink
I just tried to update the windows build for new openssl with this.
But I see that the install script takes the openssl.cnf from
easy-rsa-2.0 which already contain these variables.
Are you sure you had to add this to openvpn instaled using the latest installer?
Post by Joe Pipo
Hi,
thanks to the support of Alon and Dave, it's working now.
easy-rsa2.0 is not provided with the standard download of OpenVPN. I had to
look into the source code to find which settings to put to the keyUsage and
extendedKeyUsage. I modified the easy-rsa (the one provided in the download
Modify openssl.cnf.sample
-> add in [usr_cert]
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
-> add in [server]
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
then used the standard procedure to generate the server and clients keys.
A modification of the How-To of the OpenVPN pages, showing these
modifications, would help non-experts like me to properly configure these
certificates. I hope this post will help more people as there is a solution
posted now.
Thanks again !
Date: Thu, 25 Sep 2008 21:24:11 +0300
Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work
Post by Dave
I don't personally use easyRSA anymore, so I can't say what you would do
to
Post by Dave
change it, but I would suspect it's in the configuration file created by
init-config where you would have to modify.
I believe that the easy-rsa-2.0 was updated to issue certificates
correctly.
Alon.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
________________________________
Discutez sur Messenger où que vous soye
Joe Pipo
2008-10-08 19:08:57 UTC
Permalink
Hi Alon,

I downloaded OpenVPN 2.1_rc12 Windows Installer executable.
I do not see anything with rsa2.0 in the install dir.
_________________________________________________________________
Téléphonez gratuitement à tous vos proches avec Windows Live Messenger  !  Téléchargez-le maintenant ! 
http://www.windowslive.fr/messenger/1.asp
Alon Bar-Lev
2008-10-09 16:28:14 UTC
Permalink
Look at the openssl.cnf.sample it should already contain the values you added.
Post by Joe Pipo
Hi Alon,
I downloaded OpenVPN 2.1_rc12 Windows Installer executable.
I do not see anything with rsa2.0 in the install dir.
Date: Tue, 7 Oct 2008 23:43:15 +0300
Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work
I just tried to update the windows build for new openssl with this.
But I see that the install script takes the openssl.cnf from
easy-rsa-2.0 which already contain these variables.
Are you sure you had to add this to openvpn instaled using the latest
installer?
Post by Joe Pipo
Hi,
thanks to the support of Alon and Dave, it's working now.
easy-rsa2.0 is not provided with the standard download of OpenVPN. I had
to
Post by Joe Pipo
look into the source code to find which settings to put to the keyUsage
and
Post by Joe Pipo
extendedKeyUsage. I modified the easy-rsa (the one provided in the
download
Post by Joe Pipo
Modify openssl.cnf.sample
-> add in [usr_cert]
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
-> add in [server]
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
then used the standard procedure to generate the server and clients
keys.
Post by Joe Pipo
A modification of the How-To of the OpenVPN pages, showing these
modifications, would help non-experts like me to properly configure
these
Post by Joe Pipo
certificates. I hope this post will help more people as there is a
solution
Post by Joe Pipo
posted now.
Thanks again !
Date: Thu, 25 Sep 2008 21:24:11 +0300
Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work
Post by Dave
I don't personally use easyRSA anymore, so I can't say what you
would do
Post by Joe Pipo
to
Post by Dave
change it, but I would suspect it's in the configuration file
created by
Post by Joe Pipo
Post by Dave
init-config where you would have to modify.
I believe that the easy-rsa-2.0 was updated to issue certificates
correctly.
Alon.
-------------------------------------------------------------------------
Post by Joe Pipo
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Post by Joe Pipo
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Post by Joe Pipo
________________________________
Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre
mobile
Post by Joe Pipo
!
________________________________
Discutez sur Messenger où que vous soyez ! Mettez Messenger sur
Joe Pipo
2008-10-14 20:45:52 UTC
Permalink
Hi Alon,

I had a look, and the openssl.sample contains "something" indeed, but must not be the good settings as it did not work by default.

in [user_cert] (called by default)
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
this is commented, so remote-cert-tls client will not work

[v3_req] (not used from what I see)
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

and they are quite different that what is needed for remote-cert-tls (at least from what I found in easy_rsa2.0)

So what I did, looking in easy_rsa2.0:
in [user_cert] (called by default)
extendedKeyUsage=clientAuthkeyUsage = digitalSignature
in [server] (called when signing the server certificate)
extendedKeyUsage=serverAuthkeyUsage = digitalSignature, keyEncipherment
That way remote-cert-tls server and remote-cert-tls client are working, which was not the case with the default openssl.sample settings.

Anyway, it's working now. If others can make it working with the default settings, good for them, else there is a solution posted here.

Thanks again for your support ! Greatly appreciated.> Date: Thu, 9 Oct 2008 19:28:14 +0300> From: ***@gmail.com> To: ***@hotmail.com> Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work> CC: openvpn-***@lists.sourceforge.net; ***@ziggurat29.com> > Look at the openssl.cnf.sample it should already contain the values you added.> > On 10/8/08, Joe Pipo <***@hotmail.com> wrote:> >> > Hi Alon,> >> > I downloaded OpenVPN 2.1_rc12 Windows Installer executable.> > I do not see anything with rsa2.0 in the install dir.> >> >> > > Date: Tue, 7 Oct 2008 23:43:15 +0300> > > From: ***@gmail.com> > > To: ***@hotmail.com> > > Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work> > > CC: openvpn-***@lists.sourceforge.net;> > ***@ziggurat29.com> >> > >> > > I just tried to update the windows build for new openssl with this.> > > But I see that the install script takes the openssl.cnf from> > > easy-rsa-2.0 which already contain these variables.> > > Are you sure you had to add this to openvpn instaled using the latest> > installer?> > >> > > On 10/5/08, Joe Pipo <***@hotmail.com> wrote:> > > >> > > > Hi,> > > >> > > > thanks to the support of Alon and Dave, it's working now.> > > >> > > > easy-rsa2.0 is not provided with the standard download of OpenVPN. I had> > to> > > > look into the source code to find which settings to put to the keyUsage> > and> > > > extendedKeyUsage. I modified the easy-rsa (the one provided in the> > download> > > > package) in such a way:> > > >> > > > Modify openssl.cnf.sample> > > > -> add in [usr_cert]> > > > extendedKeyUsage=clientAuth> > > > keyUsage = digitalSignature> > > > -> add in [server]> > > > extendedKeyUsage=serverAuth> > > > keyUsage = digitalSignature, keyEncipherment> > > >> > > > then used the standard procedure to generate the server and clients> > keys.> > > >> > > > A modification of the How-To of the OpenVPN pages, showing these> > > > modifications, would help non-experts like me to properly configure> > these> > > > certificates. I hope this post will help more people as there is a> > solution> > > > posted now.> > > >> > > > Thanks again !> > > >> > > >> > > > > From: ***@gmail.com> > > > > To:> > openvpn-***@lists.sourceforge.net> > > > > Date: Thu, 25 Sep 2008 21:24:11 +0300> > > > > CC: ***@ziggurat29.com> > > > > Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work> > > > >> > > > > On Thursday 25 September 2008, Dave wrote:> > > > > > I don't personally use easyRSA anymore, so I can't say what you> > would do> > > > to> > > > > > change it, but I would suspect it's in the configuration file> > created by> > > > > > init-config where you would have to modify.> > > > >> > > > > I believe that the easy-rsa-2.0 was updated to issue certificates> > > > correctly.> > > > >> > > > > Alon.> > > > >> > > > >> > > >> > -------------------------------------------------------------------------> > > > > This SF.Net email is sponsored by the Moblin Your Move Developer's> > > > challenge> > > > > Build the coolest Linux based applications with Moblin SDK & win great> > > > prizes> > > > > Grand prize is a trip for two to an Open Source event anywhere in the> > > > world> > > > >> > > >> > http://moblin-contest.org/redirect.php?banner_id=100&url=/> > > > > _______________________________________________> > > > > Openvpn-users mailing list> > > > > Openvpn-***@lists.sourceforge.net> > > > >> > > >> > https://lists.sourceforge.net/lists/listinfo/openvpn-users> > > >> > > >> > > > ________________________________> > > > Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre> > mobile> > > > !> >> >> > ________________________________> > Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile> > !
_________________________________________________________________
Téléphonez gratuitement à tous vos proches avec Windows Live Messenger  !  Téléchargez-le maintenant ! 
http://www.windowslive.fr/messenger/1.asp
Alon Bar-Lev
2008-10-14 20:52:10 UTC
Permalink
I don't understand.

1. Which version of installer do you use?
2. If you don't use latest, can you please test it out?
3. Can you please attach the default configuration you get?

Thanks!
Post by Joe Pipo
Hi Alon,
I had a look, and the openssl.sample contains "something" indeed, but must
not be the good settings as it did not work by default.
in [user_cert] (called by default)
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
this is commented, so remote-cert-tls client will not work
[v3_req] (not used from what I see)
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
and they are quite different that what is needed for remote-cert-tls (at
least from what I found in easy_rsa2.0)
in [user_cert] (called by default)
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
in [server] (called when signing the server certificate)
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
That way remote-cert-tls server and remote-cert-tls client are working,
which was not the case with the default openssl.sample settings.
Anyway, it's working now. If others can make it working with the default
settings, good for them, else there is a solution posted here.
Thanks again for your support ! Greatly appreciated.
Post by Joe Pipo
Date: Thu, 9 Oct 2008 19:28:14 +0300
Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work
Look at the openssl.cnf.sample it should already contain the values you
added.
Post by Joe Pipo
Post by Joe Pipo
Hi Alon,
I downloaded OpenVPN 2.1_rc12 Windows Installer executable.
I do not see anything with rsa2.0 in the install dir.
Date: Tue, 7 Oct 2008 23:43:15 +0300
Subject: Re: [Openvpn-users] "remote-cert-tls server" does not work
I just tried to update the windows build for new openssl with this.
But I see that the install script takes the openssl.cnf from
easy-rsa-2.0 which already contain these variables.
Are you sure you had to add this to openvpn instaled using the latest
installer?
Post by Joe Pipo
Hi,
thanks to the support of Alon and Dave, it's working now.
easy-rsa2.0 is not provided with the standard download of OpenVPN. I
had
Post by Joe Pipo
Post by Joe Pipo
to
Post by Joe Pipo
look into the source code to find which settings to put to the
keyUsage
Post by Joe Pipo
Post by Joe Pipo
and
Post by Joe Pipo
extendedKeyUsage. I modified the easy-rsa (the one provided in the
download
Post by Joe Pipo
Modify openssl.cnf.sample
-> add in [usr_cert]
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
-> add in [server]
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
then used the standard procedure to generate the server and clients
keys.
Post by Joe Pipo
A modification of the How-To of the OpenVPN pages, showing these
modifications, would help non-experts like me to properly configure
these
Post by Joe Pipo
certificates. I hope this post will help more people as there is a
solution
Post by Joe Pipo
posted now.
Thanks again !
Date: Thu, 25 Sep 2008 21:24:11 +0300
Subject: Re: [Openvpn-users] "remote-cert-tls server" does not
work
Post by Joe Pipo
Post by Joe Pipo
Post by Joe Pipo
Post by Dave
I don't personally use easyRSA anymore, so I can't say what you
would do
Post by Joe Pipo
to
Post by Dave
change it, but I would suspect it's in the configuration file
created by
Post by Joe Pipo
Post by Dave
init-config where you would have to modify.
I believe that the easy-rsa-2.0 was updated to issue certificates
correctly.
Alon.
-------------------------------------------------------------------------
Post by Joe Pipo
Post by Joe Pipo
Post by Joe Pipo
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win
great
Post by Joe Pipo
Post by Joe Pipo
Post by Joe Pipo
prizes
Grand prize is a trip for two to an Open Source event anywhere in
the
Post by Joe Pipo
Post by Joe Pipo
Post by Joe Pipo
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Post by Joe Pipo
Post by Joe Pipo
Post by Joe Pipo
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Post by Joe Pipo
Post by Joe Pipo
Post by Joe Pipo
________________________________
Discutez sur Messenger où que vous soyez ! Mettez Messenger sur
votre
Post by Joe Pipo
Post by Joe Pipo
mobile
Post by Joe Pipo
!
________________________________
Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre
mobile
Post by Joe Pipo
Post by Joe Pipo
!
________________________________
Discutez sur Messenger où que vous soyez ! Mette
Mike Wiseman
2008-09-26 16:43:41 UTC
Permalink
Hi,

My --route-up scripts are failing to run under versions 2.1rc10 and rc12 of
the client on Windows Vista. They work fine under 2.1rc7. The error is:

openvpn_execve: external program may not be called due to setting of
--script-security level
Route script failed: external program did not execute -- returned error code
-1

The -route-up config is:

route-up 'START /B "My Window"
"%ProgramFiles%\\OpenVPN\\config\\my_script.bat"'

I see the notes in the latest Changelog regarding "implicit shell expansion
on script arguments" which seem to apply. But still, the fix reported
doesn't seem to help. Any advice is appreciated.

Mike
Joe Pipo
2008-10-15 19:25:58 UTC
Permalink
Hi Alon, 1-I used OpenVPN Windows Installer for 2.1_rc12: http://openvpn.net/release/openvpn-2.1_rc12-install.exe2-I checked, there is no difference between the openssl.cnf.sample of rc12 and rc133-I attach the default configuration file provided in the Windows Installer of the rc12 Might be ok for other platforms or in the source files, but you can simply install the 2.1_rc12 using the Windows Installer and verify by yourself. You will find what I described below. Thanks.> Date: Tue, 14 Oct 2008 22:52:10 +0200> From: ***@gmail.com> To: ***@hotmail.com> Subject: Re: [Openvpn-users] 'remote-cert-tls server' does not work> CC: openvpn-***@lists.sourceforge.net; ***@ziggurat29.com> > I don't understand.> > 1. Which version of installer do you use?> 2. If you don't use latest, can you please test it out?> 3. Can you please attach the default configuration you get?> > Thanks!> > On 10/14/08, Joe Pipo <***@hotmail.com> wrote:> >> > Hi Alon,> >> > I had a look, and the openssl.sample contains 'something' indeed, but must> > not be the good settings as it did not work by default.> >> > in [user_cert] (called by default)> > # keyUsage = nonRepudiation, digitalSignature, keyEncipherment> > this is commented, so remote-cert-tls client will not work> >> > [v3_req] (not used from what I see)> > keyUsage = nonRepudiation, digitalSignature, keyEncipherment> >> > and they are quite different that what is needed for remote-cert-tls (at> > least from what I found in easy_rsa2.0)> >> > So what I did, looking in easy_rsa2.0:> > in [user_cert] (called by default)> > extendedKeyUsage=clientAuth> > keyUsage = digitalSignature> >> > in [server] (called when signing the server certificate)> > extendedKeyUsage=serverAuth> > keyUsage = digitalSignature, keyEncipherment> >> > That way remote-cert-tls server and remote-cert-tls client are working,> > which was not the case with the default openssl.sample settings.> >> > Anyway, it's working now. If others can make it working with the default> > settings, good for them, else there is a solution posted here.> >> > Thanks again for your support ! Greatly appreciated.> >> > > Date: Thu, 9 Oct 2008 19:28:14 +0300> >> > > From: ***@gmail.com> > > To: ***@hotmail.com> > > Subject: Re: [Openvpn-users] 'remote-cert-tls server' does not work> > > CC: openvpn-***@lists.sourceforge.net;> > ***@ziggurat29.com> > >> > > Look at the openssl.cnf.sample it should already contain the values you> > added.> > >> > > On 10/8/08, Joe Pipo <***@hotmail.com> wrote:> > > >> > > > Hi Alon,> > > >> > > > I downloaded OpenVPN 2.1_rc12 Windows Installer executable.> > > > I do not see anything with rsa2.0 in the install dir.> > > >> > > >> > > > > Date: Tue, 7 Oct 2008 23:43:15 +0300> > > > > From: ***@gmail.com> > > > > To: ***@hotmail.com> > > > > Subject: Re: [Openvpn-users] 'remote-cert-tls server' does not work> > > > > CC:> > openvpn-***@lists.sourceforge.net;> > > > ***@ziggurat29.com> > > >> > > > >> > > > > I just tried to update the windows build for new openssl with this.> > > > > But I see that the install script takes the openssl.cnf from> > > > > easy-rsa-2.0 which already contain these variables.> > > > > Are you sure you had to add this to openvpn instaled using the latest> > > > installer?> > > > >> > > > > On 10/5/08, Joe Pipo <***@hotmail.com> wrote:> > > > > >> > > > > > Hi,> > > > > >> > > > > > thanks to the support of Alon and Dave, it's working now.> > > > > >> > > > > > easy-rsa2.0 is not provided with the standard download of OpenVPN. I> > had> > > > to> > > > > > look into the source code to find which settings to put to the> > keyUsage> > > > and> > > > > > extendedKeyUsage. I modified the easy-rsa (the one provided in the> > > > download> > > > > > package) in such a way:> > > > > >> > > > > > Modify openssl.cnf.sample> > > > > > -> add in [usr_cert]> > > > > > extendedKeyUsage=clientAuth> > > > > > keyUsage = digitalSignature> > > > > > -> add in [server]> > > > > > extendedKeyUsage=serverAuth> > > > > > keyUsage = digitalSignature, keyEncipherment> > > > > >> > > > > > then used the standard procedure to generate the server and clients> > > > keys.> > > > > >> > > > > > A modification of the How-To of the OpenVPN pages, showing these> > > > > > modifications, would help non-experts like me to properly configure> > > > these> > > > > > certificates. I hope this post will help more people as there is a> > > > solution> > > > > > posted now.> > > > > >> > > > > > Thanks again !> > > > > >> > > > > >> > > > > > > From: ***@gmail.com> > > > > > > To:> > > > openvpn-***@lists.sourceforge.net> > > > > > > Date: Thu, 25 Sep 2008 21:24:11 +0300> > > > > > > CC: ***@ziggurat29.com> > > > > > > Subject: Re: [Openvpn-users] 'remote-cert-tls server' does not> > work> > > > > > >> > > > > > > On Thursday 25 September 2008, Dave wrote:> > > > > > > > I don't personally use easyRSA anymore, so I can't say what you> > > > would do> > > > > > to> > > > > > > > change it, but I would suspect it's in the configuration file> > > > created by> > > > > > > > init-config where you would have to modify.> > > > > > >> > > > > > > I believe that the easy-rsa-2.0 was updated to issue certificates> > > > > > correctly.> > > > > > >> > > > > > > Alon.> > > > > > >> > > > > > >> > > > > >> > > >> > -------------------------------------------------------------------------> > > > > > > This SF.Net email is sponsored by the Moblin Your Move Developer's> > > > > > challenge> > > > > > > Build the coolest Linux based applications with Moblin SDK & win> > great> > > > > > prizes> > > > > > > Grand prize is a trip for two to an Open Source event anywhere in> > the> > > > > > world> > > > > > >> > > > > >> > > >> > http://moblin-contest.org/redirect.php?banner_id=100&url=/> > > > > > > _______________________________________________> > > > > > > Openvpn-users mailing list> > > > > > >> > Openvpn-***@lists.sourceforge.net> > > > > > >> > > > > >> > > >> > https://lists.sourceforge.net/lists/listinfo/openvpn-users> > > > > >> > > > > >> > > > > > ________________________________> > > > > > Discutez sur Messenger où que vous soyez ! Mettez Messenger sur> > votre> > > > mobile> > > > > > !> > > >> > > >> > > > ________________________________> > > > Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre> > mobile> > > > !> >> >> > ________________________________> > Discutez sur Messenger où que vous soyez ! Mettez Messenger sur votre mobile> > !
_________________________________________________________________
Téléphonez gratuitement à tous vos proches avec Windows Live Messenger  !  Téléchargez-le maintenant !
http://www.windowslive.fr/messenger/1.asp

Loading...