Opened 8 months ago

Last modified 2 months ago

#1299 assigned Bug / Defect

Android and IOS Client are not sending User Cert Chain

Reported by: mitch-geht-ab Owned by: denys
Priority: critical Milestone:
Component: OpenVPN Connect Version: OpenVPN Connect for Android
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hi,

I'm using OVPN on my Samsung S8, Android 9, OpenVPN Connect Ver. 3.2.2 (5027).
Today I notice that I can't connect with my OVPN Server (2.4.7).

Message on server side:

Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 TLS: Initial packet from [AF_INET]192.168.2.61:56866 (via [AF_INET]192.168.2.254%br1), sid=f48ece9a bc988215
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=DE, O=xxxxxx, CN=thomas
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 TLS_ERROR: BIO read tls_read_plaintext error
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 TLS Error: TLS object -> incoming plaintext read error
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 TLS Error: TLS handshake failed
Jul  5 22:07:37 orion ovpn-road-server[4311]: 192.168.2.61:56866 SIGUSR1[soft,tls-error] received, client-instance restarting

Same with both, IOS and Android client.
It was working few weeks ago.
With my windows client (win10, openvpn binary 2.4.6), the same client .ovpn config is working.

Server config for "ca" links to the root-ca cert file.

In my client config I use embedded ca and cert section.

<ca> section contains the root-ca.
<cert> section contains client-cert + intermediate-ca.

As mentioned above, same config file, working on win10 but isn't working on IOS and Android.

After switching on server side from root-ca-only to ca-chain (signing + root) it works.
I think there was an update on Android and IOS side and mobile clients aren't sending the full user chain now.

BR
Mitch

Change History (2)

comment:1 Changed 6 months ago by Gert Döring

Component: CertificatesOpenVPN Connect
Owner: set to yuriy
Version: OpenVPN Connect for Android

comment:2 Changed 2 months ago by Gert Döring

Owner: changed from yuriy to denys
Status: newassigned
Note: See TracTickets for help on using tickets.