Opened 12 years ago
Closed 12 years ago
#244 closed Bug / Defect (notabug)
tls handshake timeout when client cert is not yet valid
Reported by: | kali | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.2.2 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | client, certificate |
Cc: |
Description
While debugging a bug in our cert generation code, we found that openvpn server gives a timeout during the tls handshake if the client shows a cert that is not yet valid (i.e, the not_before field has not yet arrived in utc).
It would be useful to have a more informative error message.
Sat Dec 15 03:20:15 2012 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:1194, sid=ed7cf29c 082d5d14 Sat Dec 15 03:20:18 2012 VERIFY OK: depth=1, /CN=Example_Root_CA/O=Example/OU=https://example.net Sat Dec 15 03:20:18 2012 Validating certificate key usage Sat Dec 15 03:20:18 2012 ++ Certificate has key usage 00a0, expects 00a0 Sat Dec 15 03:20:18 2012 VERIFY KU OK Sat Dec 15 03:20:18 2012 Validating certificate extended key usage Sat Dec 15 03:20:18 2012 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sat Dec 15 03:20:18 2012 VERIFY EKU OK Sat Dec 15 03:20:18 2012 VERIFY OK: depth=0, /CN=vpn.example.net Sat Dec 15 03:21:15 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sat Dec 15 03:21:15 2012 TLS Error: TLS handshake failed
Change History (2)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
Closing this out as requested.
Please note that OpenVPN does not check your own certificate's validity (timeframe or proper CA signature) and only checks the incoming cert presented by the peer for correctness and a valid CA signature chain up to the provided root.
Note: See
TracTickets for help on using
tickets.
Ouch.
I would like to close this ticket since I'm not sure that's the reason of the timeouts anymore.
I will try to reopen with an attached test case.