Opened 5 years ago

Closed 5 years ago

#244 closed Bug / Defect (notabug)

tls handshake timeout when client cert is not yet valid

Reported by: kali Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN 2.2.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: client, certificate
Cc:

Description

While debugging a bug in our cert generation code, we found that openvpn server gives a timeout during the tls handshake if the client shows a cert that is not yet valid (i.e, the not_before field has not yet arrived in utc).

It would be useful to have a more informative error message.

Sat Dec 15 03:20:15 2012 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:1194, sid=ed7cf29c 082d5d14
Sat Dec 15 03:20:18 2012 VERIFY OK: depth=1, /CN=Example_Root_CA/O=Example/OU=https://example.net
Sat Dec 15 03:20:18 2012 Validating certificate key usage
Sat Dec 15 03:20:18 2012 ++ Certificate has key usage  00a0, expects 00a0
Sat Dec 15 03:20:18 2012 VERIFY KU OK
Sat Dec 15 03:20:18 2012 Validating certificate extended key usage
Sat Dec 15 03:20:18 2012 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Dec 15 03:20:18 2012 VERIFY EKU OK
Sat Dec 15 03:20:18 2012 VERIFY OK: depth=0, /CN=vpn.example.net
Sat Dec 15 03:21:15 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Dec 15 03:21:15 2012 TLS Error: TLS handshake failed

Change History (2)

comment:1 in reply to:  description Changed 5 years ago by kali

Ouch.
I would like to close this ticket since I'm not sure that's the reason of the timeouts anymore.

I will try to reopen with an attached test case.

comment:2 Changed 5 years ago by JoshC

Resolution: notabug
Status: newclosed

Closing this out as requested.

Please note that OpenVPN does not check your own certificate's validity (timeframe or proper CA signature) and only checks the incoming cert presented by the peer for correctness and a valid CA signature chain up to the provided root.

Note: See TracTickets for help on using tickets.