Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#1136 closed Bug / Defect (notabug)

crl-verify option does'nt work in chroot

Reported by: port Owned by: Antonio Quartulli
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.6 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hello,

When I start server with chroot option I got such warning:
WARNING: Failed to stat CRL file, not (re)loading CRL.

And it is not possible to access with a client:
Mon Oct 29 17:43:26 2018 us=5754 :60155 TLS_ERROR: BIO read tls_read_plaintext error
Mon Oct 29 17:43:26 2018 us=5778 :60155 TLS Error: TLS object -> incoming plaintext read error
Mon Oct 29 17:43:26 2018 us=5801 :60155 TLS Error: TLS handshake failed
Mon Oct 29 17:43:26 2018 us=5906 :60155 SIGUSR1[soft,tls-error] received, client-instance restarting

Disabling crl-verify fixes the issue.

In config:
chroot /home/jail
crl-verify crl.pem

Thank you!

Change History (13)

comment:1 Changed 4 years ago by Antonio Quartulli

is the crl.pem available in the chroot folder?

comment:2 Changed 4 years ago by Antonio Quartulli

Milestone: release 2.4.6
Owner: set to Antonio Quartulli
Status: newassigned
Version: easyrsa-3.xOpenVPN 2.4.6 (Community Ed)

comment:3 in reply to:  1 Changed 4 years ago by port

Replying to Antonio:

is the crl.pem available in the chroot folder?

Yes

comment:4 Changed 4 years ago by Antonio Quartulli

can you show the full server config please? I just tested it here and it just works.

comment:5 Changed 4 years ago by port

# Secure OpenVPN Server Config

chroot /home/jail

# Basic Connection Config
dev tun
proto udp
port 1194
keepalive 10 120
max-clients 5

# Certs
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

# Ciphers and Hardening
reneg-sec 0
remote-cert-tls client

crl-verify crl.pem

tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

# Drop Privs
user nobody
group nobody

# IP pool
server 172.31.100.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
client-config-dir ccd

# Misc
persist-key
persist-tun
comp-lzo

# DHCP Push options force all traffic through VPN and sets DNS servers
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

# Logging
log-append /var/log/openvpn.log
verb 3

Last edited 4 years ago by port (previous) (diff)

comment:6 Changed 4 years ago by Antonio Quartulli

thanks.
And I guess crl.pem is accessible by the user nobody, right?

Just to clarify: crl.pem is accessed by openvpn every time a client connects. This way it can support runtime changes.

comment:7 in reply to:  6 Changed 4 years ago by port

Replying to Antonio:

thanks.
And I guess crl.pem is accessible by the user nobody, right?

Just to clarify: crl.pem is accessed by openvpn every time a client connects. This way it can support runtime changes.

I tested several options, changed owner even tried give full perms to crl.pem, nothing helps, always:
WARNING: Failed to stat CRL file, not (re)loading CRL.

comment:8 Changed 4 years ago by Antonio Quartulli

can you please confirm you are running 2.4.6 ?
would you also please provide a full server log with "verb 4"?

This needs further investigation as I can't reproduce it right now.

comment:9 Changed 4 years ago by port

openvpn --version
OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@…>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

comment:10 Changed 4 years ago by port

Mon Oct 29 19:30:42 2018 us=394074 Current Parameter Settings:
Mon Oct 29 19:30:42 2018 us=394221 config = 'server.conf'
Mon Oct 29 19:30:42 2018 us=394245 mode = 1
Mon Oct 29 19:30:42 2018 us=394267 persist_config = DISABLED
Mon Oct 29 19:30:42 2018 us=394289 persist_mode = 1
Mon Oct 29 19:30:42 2018 us=394310 show_ciphers = DISABLED
Mon Oct 29 19:30:42 2018 us=394331 show_digests = DISABLED
Mon Oct 29 19:30:42 2018 us=394352 show_engines = DISABLED
Mon Oct 29 19:30:42 2018 us=394373 genkey = DISABLED
Mon Oct 29 19:30:42 2018 us=394395 key_pass_file = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=394416 show_tls_ciphers = DISABLED
Mon Oct 29 19:30:42 2018 us=394437 connect_retry_max = 0
Mon Oct 29 19:30:42 2018 us=394458 Connection profiles [0]:
Mon Oct 29 19:30:42 2018 us=394480 proto = udp
Mon Oct 29 19:30:42 2018 us=394502 local = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=394523 local_port = '1194'
Mon Oct 29 19:30:42 2018 us=394544 remote = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=394565 remote_port = '1194'
Mon Oct 29 19:30:42 2018 us=394587 remote_float = DISABLED
Mon Oct 29 19:30:42 2018 us=394607 bind_defined = DISABLED
Mon Oct 29 19:30:42 2018 us=394629 bind_local = ENABLED
Mon Oct 29 19:30:42 2018 us=394650 bind_ipv6_only = DISABLED
Mon Oct 29 19:30:42 2018 us=394671 connect_retry_seconds = 5
Mon Oct 29 19:30:42 2018 us=394692 connect_timeout = 120
Mon Oct 29 19:30:42 2018 us=394713 socks_proxy_server = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=394734 socks_proxy_port = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=394755 tun_mtu = 1500
Mon Oct 29 19:30:42 2018 us=394776 tun_mtu_defined = ENABLED
Mon Oct 29 19:30:42 2018 us=394798 link_mtu = 1500
Mon Oct 29 19:30:42 2018 us=394819 link_mtu_defined = DISABLED
Mon Oct 29 19:30:42 2018 us=394840 tun_mtu_extra = 0
Mon Oct 29 19:30:42 2018 us=394861 tun_mtu_extra_defined = DISABLED
Mon Oct 29 19:30:42 2018 us=394882 mtu_discover_type = -1
Mon Oct 29 19:30:42 2018 us=394903 fragment = 0
Mon Oct 29 19:30:42 2018 us=394924 mssfix = 1450
Mon Oct 29 19:30:42 2018 us=394964 explicit_exit_notification = 0
Mon Oct 29 19:30:42 2018 us=394988 Connection profiles END
Mon Oct 29 19:30:42 2018 us=395009 remote_random = DISABLED
Mon Oct 29 19:30:42 2018 us=395030 ipchange = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=395051 dev = 'tun'
Mon Oct 29 19:30:42 2018 us=395072 dev_type = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=395093 dev_node = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=395115 lladdr = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=395136 topology = 3
Mon Oct 29 19:30:42 2018 us=395157 ifconfig_local = '172.31.100.1'
Mon Oct 29 19:30:42 2018 us=395178 ifconfig_remote_netmask = '255.255.255.0'
Mon Oct 29 19:30:42 2018 us=395200 ifconfig_noexec = DISABLED
Mon Oct 29 19:30:42 2018 us=395221 ifconfig_nowarn = DISABLED
Mon Oct 29 19:30:42 2018 us=395242 ifconfig_ipv6_local = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=395263 ifconfig_ipv6_netbits = 0
Mon Oct 29 19:30:42 2018 us=395284 ifconfig_ipv6_remote = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=395305 shaper = 0
Mon Oct 29 19:30:42 2018 us=395326 mtu_test = 0
Mon Oct 29 19:30:42 2018 us=395347 mlock = DISABLED
Mon Oct 29 19:30:42 2018 us=395369 keepalive_ping = 10
Mon Oct 29 19:30:42 2018 us=395390 keepalive_timeout = 120
Mon Oct 29 19:30:42 2018 us=395411 inactivity_timeout = 0
Mon Oct 29 19:30:42 2018 us=395432 ping_send_timeout = 10
Mon Oct 29 19:30:42 2018 us=395453 ping_rec_timeout = 240
Mon Oct 29 19:30:42 2018 us=395475 ping_rec_timeout_action = 2
Mon Oct 29 19:30:42 2018 us=395496 ping_timer_remote = DISABLED
Mon Oct 29 19:30:42 2018 us=395517 remap_sigusr1 = 0
Mon Oct 29 19:30:42 2018 us=395538 persist_tun = ENABLED
Mon Oct 29 19:30:42 2018 us=395559 persist_local_ip = DISABLED
Mon Oct 29 19:30:42 2018 us=395580 persist_remote_ip = DISABLED
Mon Oct 29 19:30:42 2018 us=395601 persist_key = ENABLED
Mon Oct 29 19:30:42 2018 us=395623 passtos = DISABLED
Mon Oct 29 19:30:42 2018 us=395644 resolve_retry_seconds = 1000000000
Mon Oct 29 19:30:42 2018 us=395665 resolve_in_advance = DISABLED
Mon Oct 29 19:30:42 2018 us=395694 username = 'nobody'
Mon Oct 29 19:30:42 2018 us=395716 groupname = 'nobody'
Mon Oct 29 19:30:42 2018 us=395738 chroot_dir = '/home/jail'
Mon Oct 29 19:30:42 2018 us=395759 cd_dir = '/etc/openvpn/server'
Mon Oct 29 19:30:42 2018 us=395780 selinux_context = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=395801 writepid = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=395823 up_script = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=395844 down_script = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=395865 down_pre = DISABLED
Mon Oct 29 19:30:42 2018 us=395886 up_restart = DISABLED
Mon Oct 29 19:30:42 2018 us=395908 up_delay = DISABLED
Mon Oct 29 19:30:42 2018 us=395929 daemon = DISABLED
Mon Oct 29 19:30:42 2018 us=395974 inetd = 0
Mon Oct 29 19:30:42 2018 us=395996 log = ENABLED
Mon Oct 29 19:30:42 2018 us=396017 suppress_timestamps = DISABLED
Mon Oct 29 19:30:42 2018 us=396039 machine_readable_output = DISABLED
Mon Oct 29 19:30:42 2018 us=396060 nice = 0
Mon Oct 29 19:30:42 2018 us=396081 verbosity = 4
Mon Oct 29 19:30:42 2018 us=396102 mute = 0
Mon Oct 29 19:30:42 2018 us=396123 gremlin = 0
Mon Oct 29 19:30:42 2018 us=396144 status_file = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=396165 status_file_version = 1
Mon Oct 29 19:30:42 2018 us=396187 status_file_update_freq = 60
Mon Oct 29 19:30:42 2018 us=396208 occ = ENABLED
Mon Oct 29 19:30:42 2018 us=396236 rcvbuf = 0
Mon Oct 29 19:30:42 2018 us=396258 sndbuf = 0
Mon Oct 29 19:30:42 2018 us=396279 mark = 0
Mon Oct 29 19:30:42 2018 us=396300 sockflags = 0
Mon Oct 29 19:30:42 2018 us=396321 fast_io = DISABLED
Mon Oct 29 19:30:42 2018 us=396342 comp.alg = 2
Mon Oct 29 19:30:42 2018 us=396363 comp.flags = 1
Mon Oct 29 19:30:42 2018 us=396385 route_script = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=396406 route_default_gateway = '172.31.100.3'
Mon Oct 29 19:30:42 2018 us=396428 route_default_metric = 0
Mon Oct 29 19:30:42 2018 us=396449 route_noexec = DISABLED
Mon Oct 29 19:30:42 2018 us=396471 route_delay = 0
Mon Oct 29 19:30:42 2018 us=396492 route_delay_window = 30
Mon Oct 29 19:30:42 2018 us=396513 route_delay_defined = DISABLED
Mon Oct 29 19:30:42 2018 us=396534 route_nopull = DISABLED
Mon Oct 29 19:30:42 2018 us=396556 route_gateway_via_dhcp = DISABLED
Mon Oct 29 19:30:42 2018 us=396577 allow_pull_fqdn = DISABLED
Mon Oct 29 19:30:42 2018 us=396598 management_addr = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=396620 management_port = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=396642 management_user_pass = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=396663 management_log_history_cache = 250
Mon Oct 29 19:30:42 2018 us=396685 management_echo_buffer_size = 100
Mon Oct 29 19:30:42 2018 us=396706 management_write_peer_info_file = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=396728 management_client_user = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=396749 management_client_group = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=396771 management_flags = 0
Mon Oct 29 19:30:42 2018 us=396792 shared_secret_file = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=396814 key_direction = 0
Mon Oct 29 19:30:42 2018 us=396835 ciphername = 'AES-256-CBC'
Mon Oct 29 19:30:42 2018 us=396856 ncp_enabled = ENABLED
Mon Oct 29 19:30:42 2018 us=396878 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Mon Oct 29 19:30:42 2018 us=396899 authname = 'SHA512'
Mon Oct 29 19:30:42 2018 us=396920 prng_hash = 'SHA1'
Mon Oct 29 19:30:42 2018 us=396956 prng_nonce_secret_len = 16
Mon Oct 29 19:30:42 2018 us=396980 keysize = 0
Mon Oct 29 19:30:42 2018 us=397002 engine = DISABLED
Mon Oct 29 19:30:42 2018 us=397023 replay = ENABLED
Mon Oct 29 19:30:42 2018 us=397044 mute_replay_warnings = DISABLED
Mon Oct 29 19:30:42 2018 us=397066 replay_window = 64
Mon Oct 29 19:30:42 2018 us=397087 replay_time = 15
Mon Oct 29 19:30:42 2018 us=397108 packet_id_file = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=397130 use_iv = ENABLED
Mon Oct 29 19:30:42 2018 us=397151 test_crypto = DISABLED
Mon Oct 29 19:30:42 2018 us=397172 tls_server = ENABLED
Mon Oct 29 19:30:42 2018 us=397207 tls_client = DISABLED
Mon Oct 29 19:30:42 2018 us=397229 key_method = 2
Mon Oct 29 19:30:42 2018 us=397250 ca_file = '/etc/openvpn/easy-rsa/keys/ca.crt'
Mon Oct 29 19:30:42 2018 us=397272 ca_path = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=397293 dh_file = '/etc/openvpn/easy-rsa/keys/dh.pem'
Mon Oct 29 19:30:42 2018 us=397315 cert_file = '/etc/openvpn/easy-rsa/keys/server.crt'
Mon Oct 29 19:30:42 2018 us=397336 extra_certs_file = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=397358 priv_key_file = '/etc/openvpn/easy-rsa/keys/server.key'
Mon Oct 29 19:30:42 2018 us=397380 pkcs12_file = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=397402 cipher_list = 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'
Mon Oct 29 19:30:42 2018 us=397423 tls_cert_profile = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=397444 tls_verify = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=397466 tls_export_cert = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=397487 verify_x509_type = 0
Mon Oct 29 19:30:42 2018 us=397508 verify_x509_name = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=397529 crl_file = 'crl.pem'
Mon Oct 29 19:30:42 2018 us=397551 ns_cert_type = 0
Mon Oct 29 19:30:42 2018 us=397572 remote_cert_ku[i] = 65535
Mon Oct 29 19:30:42 2018 us=397593 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397615 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397636 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397657 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397690 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397712 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397734 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397755 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397776 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397797 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397818 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397839 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397861 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397882 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397903 remote_cert_ku[i] = 0
Mon Oct 29 19:30:42 2018 us=397924 remote_cert_eku = 'TLS Web Client Authentication'
Mon Oct 29 19:30:42 2018 us=397959 ssl_flags = 192
Mon Oct 29 19:30:42 2018 us=397982 tls_timeout = 2
Mon Oct 29 19:30:42 2018 us=398004 renegotiate_bytes = -1
Mon Oct 29 19:30:42 2018 us=398025 renegotiate_packets = 0
Mon Oct 29 19:30:42 2018 us=398047 renegotiate_seconds = 0
Mon Oct 29 19:30:42 2018 us=398068 handshake_window = 60
Mon Oct 29 19:30:42 2018 us=398090 transition_window = 3600
Mon Oct 29 19:30:42 2018 us=398111 single_session = DISABLED
Mon Oct 29 19:30:42 2018 us=398133 push_peer_info = DISABLED
Mon Oct 29 19:30:42 2018 us=398154 tls_exit = DISABLED
Mon Oct 29 19:30:42 2018 us=398175 tls_auth_file = '/etc/openvpn/easy-rsa/keys/ta.key'
Mon Oct 29 19:30:42 2018 us=398196 tls_crypt_file = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=398218 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398239 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398261 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398282 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398303 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398325 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398346 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398367 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398389 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398410 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398432 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398453 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398474 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398502 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398524 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398546 pkcs11_protected_authentication = DISABLED
Mon Oct 29 19:30:42 2018 us=398568 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398589 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398611 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398632 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398654 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398675 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398696 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398718 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398739 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398760 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398782 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398803 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398825 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398846 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398867 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398888 pkcs11_private_mode = 00000000
Mon Oct 29 19:30:42 2018 us=398910 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=398931 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=398975 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=398997 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399018 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399040 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399061 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399082 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399103 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399124 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399145 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399167 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399188 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399209 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399230 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399251 pkcs11_cert_private = DISABLED
Mon Oct 29 19:30:42 2018 us=399279 pkcs11_pin_cache_period = -1
Mon Oct 29 19:30:42 2018 us=399301 pkcs11_id = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=399322 pkcs11_id_management = DISABLED
Mon Oct 29 19:30:42 2018 us=399345 server_network = 172.31.100.0
Mon Oct 29 19:30:42 2018 us=399369 server_netmask = 255.255.255.0
Mon Oct 29 19:30:42 2018 us=399400 server_network_ipv6 = ::
Mon Oct 29 19:30:42 2018 us=399422 server_netbits_ipv6 = 0
Mon Oct 29 19:30:42 2018 us=399445 server_bridge_ip = 0.0.0.0
Mon Oct 29 19:30:42 2018 us=399468 server_bridge_netmask = 0.0.0.0
Mon Oct 29 19:30:42 2018 us=399491 server_bridge_pool_start = 0.0.0.0
Mon Oct 29 19:30:42 2018 us=399514 server_bridge_pool_end = 0.0.0.0
Mon Oct 29 19:30:42 2018 us=399535 push_entry = 'redirect-gateway def1 bypass-dhcp'
Mon Oct 29 19:30:42 2018 us=399557 push_entry = 'dhcp-option DNS 8.8.8.8'
Mon Oct 29 19:30:42 2018 us=399578 push_entry = 'dhcp-option DNS 8.8.4.4'
Mon Oct 29 19:30:42 2018 us=399600 push_entry = 'route-gateway 172.31.100.1'
Mon Oct 29 19:30:42 2018 us=399622 push_entry = 'topology subnet'
Mon Oct 29 19:30:42 2018 us=399643 push_entry = 'ping 10'
Mon Oct 29 19:30:42 2018 us=399664 push_entry = 'ping-restart 120'
Mon Oct 29 19:30:42 2018 us=399686 ifconfig_pool_defined = ENABLED
Mon Oct 29 19:30:42 2018 us=399708 ifconfig_pool_start = 172.31.100.3
Mon Oct 29 19:30:42 2018 us=399731 ifconfig_pool_end = 172.31.100.253
Mon Oct 29 19:30:42 2018 us=399762 ifconfig_pool_netmask = 255.255.255.0
Mon Oct 29 19:30:42 2018 us=399785 ifconfig_pool_persist_filename = 'ipp.txt'
Mon Oct 29 19:30:42 2018 us=399807 ifconfig_pool_persist_refresh_freq = 600
Mon Oct 29 19:30:42 2018 us=399835 ifconfig_ipv6_pool_defined = DISABLED
Mon Oct 29 19:30:42 2018 us=399858 ifconfig_ipv6_pool_base = ::
Mon Oct 29 19:30:42 2018 us=399880 ifconfig_ipv6_pool_netbits = 0
Mon Oct 29 19:30:42 2018 us=399902 n_bcast_buf = 256
Mon Oct 29 19:30:42 2018 us=399923 tcp_queue_limit = 64
Mon Oct 29 19:30:42 2018 us=399963 real_hash_size = 256
Mon Oct 29 19:30:42 2018 us=399987 virtual_hash_size = 256
Mon Oct 29 19:30:42 2018 us=400008 client_connect_script = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=400030 learn_address_script = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=400051 client_disconnect_script = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=400073 client_config_dir = 'ccd'
Mon Oct 29 19:30:42 2018 us=400094 ccd_exclusive = DISABLED
Mon Oct 29 19:30:42 2018 us=400115 tmp_dir = '/tmp'
Mon Oct 29 19:30:42 2018 us=400137 push_ifconfig_defined = DISABLED
Mon Oct 29 19:30:42 2018 us=400160 push_ifconfig_local = 0.0.0.0
Mon Oct 29 19:30:42 2018 us=400184 push_ifconfig_remote_netmask = 0.0.0.0
Mon Oct 29 19:30:42 2018 us=400205 push_ifconfig_ipv6_defined = DISABLED
Mon Oct 29 19:30:42 2018 us=400228 push_ifconfig_ipv6_local = ::/0
Mon Oct 29 19:30:42 2018 us=400251 push_ifconfig_ipv6_remote = ::
Mon Oct 29 19:30:42 2018 us=400272 enable_c2c = DISABLED
Mon Oct 29 19:30:42 2018 us=400294 duplicate_cn = DISABLED
Mon Oct 29 19:30:42 2018 us=400315 cf_max = 0
Mon Oct 29 19:30:42 2018 us=400336 cf_per = 0
Mon Oct 29 19:30:42 2018 us=400358 max_clients = 5
Mon Oct 29 19:30:42 2018 us=400379 max_routes_per_client = 256
Mon Oct 29 19:30:42 2018 us=400400 auth_user_pass_verify_script = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=400422 auth_user_pass_verify_script_via_file = DISABLED
Mon Oct 29 19:30:42 2018 us=400443 auth_token_generate = DISABLED
Mon Oct 29 19:30:42 2018 us=400464 auth_token_lifetime = 0
Mon Oct 29 19:30:42 2018 us=400486 port_share_host = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=400507 port_share_port = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=400528 client = DISABLED
Mon Oct 29 19:30:42 2018 us=400549 pull = DISABLED
Mon Oct 29 19:30:42 2018 us=400571 auth_user_pass_file = '[UNDEF]'
Mon Oct 29 19:30:42 2018 us=400600 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Mon Oct 29 19:30:42 2018 us=400642 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Mon Oct 29 19:30:42 2018 us=404086 Diffie-Hellman initialized with 2048 bit key
Mon Oct 29 19:30:42 2018 us=404694 WARNING: Failed to stat CRL file, not (re)loading CRL.
Mon Oct 29 19:30:42 2018 us=404846 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Oct 29 19:30:42 2018 us=404875 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Oct 29 19:30:42 2018 us=404915 TLS-Auth MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Oct 29 19:30:42 2018 us=405406 TUN/TAP device tun0 opened
Mon Oct 29 19:30:42 2018 us=405446 TUN/TAP TX queue length set to 100
Mon Oct 29 19:30:42 2018 us=405480 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Oct 29 19:30:42 2018 us=405513 /sbin/ip link set dev tun0 up mtu 1500
Mon Oct 29 19:30:42 2018 us=407760 /sbin/ip addr add dev tun0 172.31.100.1/24 broadcast 172.31.100.255
Mon Oct 29 19:30:42 2018 us=409801 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Mon Oct 29 19:30:42 2018 us=410424 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Oct 29 19:30:42 2018 us=410476 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Oct 29 19:30:42 2018 us=410518 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Oct 29 19:30:42 2018 us=410542 UDPv4 link remote: [AF_UNSPEC]
Mon Oct 29 19:30:42 2018 us=410573 chroot to '/home/jail' and cd to '/' succeeded
Mon Oct 29 19:30:42 2018 us=410610 GID set to nobody
Mon Oct 29 19:30:42 2018 us=410640 UID set to nobody
Mon Oct 29 19:30:42 2018 us=410684 MULTI: multi_init called, r=256 v=256
Mon Oct 29 19:30:42 2018 us=410775 IFCONFIG POOL: base=172.31.100.3 size=252, ipv6=0
Mon Oct 29 19:30:42 2018 us=410816 ifconfig_pool_read(), in='laptop,172.31.100.3', TODO: IPv6
Mon Oct 29 19:30:42 2018 us=410841 succeeded -> ifconfig_pool_set()
Mon Oct 29 19:30:42 2018 us=410866 IFCONFIG POOL LIST
Mon Oct 29 19:30:42 2018 us=410888 laptop,172.31.100.3
Mon Oct 29 19:30:42 2018 us=410999 Initialization Sequence Completed
Mon Oct 29 19:31:29 2018 us=365519 MULTI: multi_create_instance called
Mon Oct 29 19:31:29 2018 us=365642 :50432 Re-using SSL/TLS context
Mon Oct 29 19:31:29 2018 us=365675 :50432 LZO compression initializing
Mon Oct 29 19:31:29 2018 us=365922 :50432 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Oct 29 19:31:29 2018 us=365987 :50432 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Mon Oct 29 19:31:29 2018 us=366040 :50432 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Mon Oct 29 19:31:29 2018 us=366063 :50432 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Mon Oct 29 19:31:29 2018 us=366129 :50432 TLS: Initial packet from [AF_INET]:50432, sid=42a1ff26 7485e941
Mon Oct 29 19:31:29 2018 us=417603 :50432 WARNING: Failed to stat CRL file, not (re)loading CRL.
Mon Oct 29 19:31:29 2018 us=507857 :50432 VERIFY ERROR: CRL not loaded
Mon Oct 29 19:31:29 2018 us=508046 :50432 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Mon Oct 29 19:31:29 2018 us=508080 :50432 TLS_ERROR: BIO read tls_read_plaintext error
Mon Oct 29 19:31:29 2018 us=508107 :50432 TLS Error: TLS object -> incoming plaintext read error
Mon Oct 29 19:31:29 2018 us=508135 :50432 TLS Error: TLS handshake failed
Mon Oct 29 19:31:29 2018 us=508256 :50432 SIGUSR1[soft,tls-error] received, client-instance restarting

Version 0, edited 4 years ago by port (next)

comment:11 Changed 4 years ago by port

Oh, I'm very sorry it was my misconfiguration.
Jail folder had incorrect owner.
After fix everything started without errors.
Sorry I took your time .
Thank you very much for fast response and sorry again ))


comment:12 Changed 4 years ago by Antonio Quartulli

Resolution: notabug
Status: assignedclosed

no problem! Cool that you figured this out!

I am closing the ticket

comment:13 in reply to:  12 Changed 4 years ago by port

Replying to Antonio:

no problem! Cool that you figured this out!

I am closing the ticket

Yes, close please.

Thank you one more time )

Note: See TracTickets for help on using tickets.