John Espiro
2011-01-09 22:24:10 UTC
Sorry to bother the list again... I've had openvpn running fine for some
time and have found answers to most of my questions either through a
book or through archives of the mail list. This time, I am a bit stumped.
I blew away all of my certs and re-created them (server and client). At
first, when I tried to connect, I was getting "Certificate does not have
key usage extension" in the client log, so I followed this post
http://openvpn.net/archive/openvpn-devel/2006-11/msg00024.html and added
the two lines to openssl.cnf. When I created new certs I cannot
connect. While the client logs look OK, the server clearly points to a
problem. Thing is, I only find a couple of posts on google that don't
seem to help.
server log:
MULTI: multi_create_instance called
Re-using SSL/TLS context
LZO compression initialized
Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu
1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth
SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Expected Remote Options String: 'V4,dev-type tun,link-mtu
1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher
AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Local Options hash (VER=V4): '162b04de'
Expected Remote Options hash (VER=V4): '9e7066d2'
TLS: Initial packet from 80.125.173.175:51984, sid=36169876 76ab0999
VERIFY OK: depth=1,
/C=XX/ST=XX/L=XXX/O=XXX/CN=OpenVPN-CA/emailAddress=***@XXX.com
Certificate does not have key usage extension
VERIFY KU ERROR
TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
client log:
OpenVPN 2.2-beta5 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov
30 2010
NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call
user-defined scripts or executables
Control Channel Authentication: using 'folder/ta.key' as a OpenVPN
static key file
Outgoing Control Channel Authentication: Using 160 bit message hash
'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash
'SHA1' for HMAC authentication
LZO compression initialized
Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Socket Buffers: R=[8192->8192] S=[8192->8192]
Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu
1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth
SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Expected Remote Options String: 'V4,dev-type tun,link-mtu
1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher
AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Local Options hash (VER=V4): '9e7332d2'
Expected Remote Options hash (VER=V4): '162141de'
UDPv4 link local: [undef]
UDPv4 link remote: <domain>:1194
us=578000 TLS: Initial packet from <domain>:1194, sid=235a9fc1 911c541f
VERIFY OK: depth=1,
/C=XX/ST=XX/L=XXX/O=XXX/CN=OpenVPN-CA/emailAddress=***@XXX.com
Validating certificate key usage
++ Certificate has key usage 00a0, expects 00a0
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects
TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0,
/C=XX/ST=XX/O=AXXX/CN=server/emailAddress=***@XXX.com
time and have found answers to most of my questions either through a
book or through archives of the mail list. This time, I am a bit stumped.
I blew away all of my certs and re-created them (server and client). At
first, when I tried to connect, I was getting "Certificate does not have
key usage extension" in the client log, so I followed this post
http://openvpn.net/archive/openvpn-devel/2006-11/msg00024.html and added
the two lines to openssl.cnf. When I created new certs I cannot
connect. While the client logs look OK, the server clearly points to a
problem. Thing is, I only find a couple of posts on google that don't
seem to help.
server log:
MULTI: multi_create_instance called
Re-using SSL/TLS context
LZO compression initialized
Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu
1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth
SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Expected Remote Options String: 'V4,dev-type tun,link-mtu
1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher
AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Local Options hash (VER=V4): '162b04de'
Expected Remote Options hash (VER=V4): '9e7066d2'
TLS: Initial packet from 80.125.173.175:51984, sid=36169876 76ab0999
VERIFY OK: depth=1,
/C=XX/ST=XX/L=XXX/O=XXX/CN=OpenVPN-CA/emailAddress=***@XXX.com
Certificate does not have key usage extension
VERIFY KU ERROR
TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
client log:
OpenVPN 2.2-beta5 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov
30 2010
NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call
user-defined scripts or executables
Control Channel Authentication: using 'folder/ta.key' as a OpenVPN
static key file
Outgoing Control Channel Authentication: Using 160 bit message hash
'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash
'SHA1' for HMAC authentication
LZO compression initialized
Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Socket Buffers: R=[8192->8192] S=[8192->8192]
Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu
1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth
SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Expected Remote Options String: 'V4,dev-type tun,link-mtu
1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher
AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Local Options hash (VER=V4): '9e7332d2'
Expected Remote Options hash (VER=V4): '162141de'
UDPv4 link local: [undef]
UDPv4 link remote: <domain>:1194
us=578000 TLS: Initial packet from <domain>:1194, sid=235a9fc1 911c541f
VERIFY OK: depth=1,
/C=XX/ST=XX/L=XXX/O=XXX/CN=OpenVPN-CA/emailAddress=***@XXX.com
Validating certificate key usage
++ Certificate has key usage 00a0, expects 00a0
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects
TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0,
/C=XX/ST=XX/O=AXXX/CN=server/emailAddress=***@XXX.com