• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 20509
  • Last Modified:

OpenVPN: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I am trying to connect to my openvpn instance... I need another set of eyes on this.

The server is running with the following config:

dev tun0
proto udp
keepalive 10 120
tls-auth /tmp/openvpn/ta.key 0
cipher AES-256-CBC
max-clients 10
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
crl-verify /tmp/openvpn/crl.pem

The client config is:

remote XXX 1194

client
remote-cert-tls server
#ns-cert-type server
dev tun0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float
cipher AES-256-CBC
ca personal/ca.crt
cert personal/client1.crt
key personal/client1.key
tls-auth personal/ta.key 1


Log file below:


Mon Feb 09 18:35:17 2009 us=265000 VERIFY OK: depth=1, /C=XXX
Mon Feb 09 18:35:17 2009 us=265000 Certificate does not have key usage extension
Mon Feb 09 18:35:17 2009 us=265000 VERIFY KU ERROR
Mon Feb 09 18:35:17 2009 us=265000 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Feb 09 18:35:17 2009 us=265000 TLS Error: TLS object -> incoming plaintext read error
Mon Feb 09 18:35:17 2009 us=265000 TLS Error: TLS handshake failed
Mon Feb 09 18:35:17 2009 us=265000 TCP/UDP: Closing socket
Mon Feb 09 18:35:17 2009 us=265000 SIGUSR1[soft,tls-error] received, process restarting
Mon Feb 09 18:35:17 2009 us=265000 Restart pause, 2 second(s)
Mon Feb 09 18:35:19 2009 us=265000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Feb 09 18:35:19 2009 us=265000 Re-using SSL/TLS context
Mon Feb 09 18:35:19 2009 us=265000 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Feb 09 18:35:19 2009 us=265000 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Mon Feb 09 18:35:19 2009 us=265000 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Mon Feb 09 18:35:19 2009 us=265000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Mon Feb 09 18:35:19 2009 us=265000 Local Options hash (VER=V4): 'eXXX2'
Mon Feb 09 18:35:19 2009 us=265000 Expected Remote Options hash (VER=V4): '8aXXX82'
Mon Feb 09 18:35:19 2009 us=265000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Feb 09 18:35:19 2009 us=265000 UDPv4 link local: [undef]
Mon Feb 09 18:35:19 2009 us=265000 UDPv4 link remote: XXX:1194
Mon Feb 09 18:35:19 2009 us=265000 TCP/UDP: Closing socket
Mon Feb 09 18:35:19 2009 us=265000 SIGTERM[hard,] received, process exiting
0
acrocat
Asked:
acrocat
  • 2
2 Solutions
 
acrocatAuthor Commented:
Thanks...

link 1 is in german, so that doesn't help.
link 2 talks about someone that has the error, but without a solution.

0
 
acrocatAuthor Commented:
Here's the problem... I was usign Windows and easy-rsa to generate the certs.

From the link here: http://osdir.com/ml/network.openvpn.devel/2006-11/msg00044.html

It seems that the certs are missing key information.

I updated my openssl.conf wth the one here: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/easy-rsa/2.0/openssl.cnf and re-generated the certs.  Also, another workaround I found was to generate them on an ubuntu 8.10 box -- the conf file there was up to date.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now