Opened 6 years ago

Closed 6 years ago

#414 closed Bug / Defect (notabug)

TLS_ERROR, VERIFY ERROR: depth=0, error=unhandled critical extension: C=RU,....

Reported by: sergey-x Owned by:
Priority: minor Milestone: release 2.3.4
Component: Generic / unclassified Version: OpenVPN 2.3.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hello!
this situation occurs and the error can not establish a connection because of errors in software (openvpn)
logs from the server and the client below.

certificates themselves as well that I use:
in the archive at the link below:

allservice.pro/vpn/cer.7z

password for the archive: openvpn2014
Possible to correct the error and make possible the successful authorization and connection?

Just could not tell you the full list of key parameters openssl.cnf
extendedKeyUsage = critical, clientAuth???
and send to my mail sergey-x@…

I hope for a speedy solution problemmy all contacts via email
with respect Sergey


I forgot!
still have the same problems with the GUI
after installation
program because nezapuskaetsya entangled paths
files are in the program files, GUI requires them in C \ opneVPN,
and vice versa files are installed in C \ opneVPN and running the GUI requires them in a program files,???

also requested the opportunity to realize and correct display a dialog box
with access to the key server.key and tslient.key Encrypted to protect the key .

as well as to call for a token pin code Rutoken
if the private key to be Rutoken .

I hope for a speedy solution and any identified errors in software (opnenVPN)


Log server:
Sun Aug 10 23:37:15 2008 IFCONFIG POOL: base=10.10.10.2 size=253, ipv6=0
Sun Aug 10 23:37:15 2008 MULTI: TCP INIT maxclients=60 maxevents=64
Sun Aug 10 23:37:15 2008 Initialization Sequence Completed
Sun Aug 10 23:38:08 2008 TCP connection established with [AF_INET]*:64899
Sun Aug 10 23:38:08 2008
*:64899 TLS: Initial packet from [AF_INET]:64899, sid=446c80f5 13612fd7
Sun Aug 10 23:38:12 2008
:64899 Connection reset, restarting [-1]
Sun Aug 10 23:38:12 2008 :64899 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sun Aug 10 23:38:17 2008 TCP connection established with [AF_INET]
:13391
Sun Aug 10 23:38:17 2008 :13391 TLS: Initial packet from [AF_INET]:13391, sid=6eeeb1af a398df54
Sun Aug 10 23:38:21 2008 :13391 Connection reset, restarting [0]
Sun Aug 10 23:38:21 2008
:13391 SIGUSR1[soft,connection-reset] received, client-instance restarting


log Client:
Wed Jun 04 13:57:58 2014 Restart pause, 5 second(s)
Wed Jun 04 13:58:03 2014 Control Channel Authentication: using 'C:\OpenVPN\ssl\ta.key' as a OpenVPN static key file
Wed Jun 04 13:58:03 2014 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jun 04 13:58:03 2014 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jun 04 13:58:03 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jun 04 13:58:03 2014 Attempting to establish TCP connection with [AF_INET]:77
Wed Jun 04 13:58:03 2014 TCP connection established with [AF_INET]:77
Wed Jun 04 13:58:03 2014 TCPv4_CLIENT link local: [undef]
Wed Jun 04 13:58:03 2014 TCPv4_CLIENT link remote: [AF_INET]:77
Wed Jun 04 13:58:03 2014 TLS: Initial packet from [AF_INET]:77, sid=72b1fa2a 709e05d9
Wed Jun 04 13:58:04 2014 VERIFY ERROR: depth=0, error=unhandled critical extension: C=RU, ST=Murmansk Oblast, L=Murmansk, O=individual person, OU=IT, CN=allservice.pro, emailAddress=sergey-x@…, name=A, SN=Kh, GN=Sergey, title=The identification authenticity of the server VPN allservice.pro
Wed Jun 04 13:58:04 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Jun 04 13:58:04 2014 TLS Error: TLS object -> incoming plaintext read error
Wed Jun 04 13:58:04 2014 TLS Error: TLS handshake failed
Wed Jun 04 13:58:04 2014 Fatal TLS error (check_tls_errors_co), restarting
Wed Jun 04 13:58:04 2014 SIGUSR1[soft,tls-error] received, process restarting
Wed Jun 04 13:58:04 2014 Restart pause, 5 second(s)


Attachments (2)

cer.7z (7.0 KB) - added by sergey-x 6 years ago.
cer.zip (9.5 KB) - added by sergey-x 6 years ago.

Download all attachments as: .zip

Change History (3)

Changed 6 years ago by sergey-x

Attachment: cer.7z added

Changed 6 years ago by sergey-x

Attachment: cer.zip added

comment:1 Changed 6 years ago by Steffan Karger

Priority: criticalminor
Resolution: notabug
Status: newclosed

Hi,

This does not seem to be a bug, but a configuration problem.

Your CA has a lot of extensions marked as critical:

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
            Netscape Cert Type: critical
                SSL CA, S/MIME CA
            Netscape Comment: critical
                statement of personal data: registration number: 51-13-000036, date of the statement in the register: 10.01.2013
            Netscape CA Revocation Url: critical
                https://allservice.pro/ca-crl.crl
            Netscape Base Url: critical
                https://allservice.pro/certificates/
            Netscape Revocation Url: critical
                https://allservice.pro/cancelled_certificates/
            Netscape CA Policy Url: critical
                https://allservice.pro/ca_policy/
            Netscape SSL Server Name: critical
                https://allservice.pro/

OpenVPN won't accept a certificate if it doesn't know how to handle a critical extension.

Since this is a configuration problem, and not a bug, I'm closing the issue. If you need more help, please use the forums, #openvpn on freenode, or the openvpn-users mailinglist.

Note: See TracTickets for help on using tickets.