Opened 6 years ago
Closed 6 years ago
#414 closed Bug / Defect (notabug)
TLS_ERROR, VERIFY ERROR: depth=0, error=unhandled critical extension: C=RU,....
| Reported by: | sergey-x | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | release 2.3.4 |
| Component: | Generic / unclassified | Version: | OpenVPN 2.3.4 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
Hello!
this situation occurs and the error can not establish a connection because of errors in software (openvpn)
logs from the server and the client below.
certificates themselves as well that I use:
in the archive at the link below:
allservice.pro/vpn/cer.7z
password for the archive: openvpn2014
Possible to correct the error and make possible the successful authorization and connection?
Just could not tell you the full list of key parameters openssl.cnf
extendedKeyUsage = critical, clientAuth???
and send to my mail sergey-x@…
I hope for a speedy solution problemmy all contacts via email
with respect Sergey
I forgot!
still have the same problems with the GUI
after installation
program because nezapuskaetsya entangled paths
files are in the program files, GUI requires them in C \ opneVPN,
and vice versa files are installed in C \ opneVPN and running the GUI requires them in a program files,???
also requested the opportunity to realize and correct display a dialog box
with access to the key server.key and tslient.key Encrypted to protect the key .
as well as to call for a token pin code Rutoken
if the private key to be Rutoken .
I hope for a speedy solution and any identified errors in software (opnenVPN)
Log server:
Sun Aug 10 23:37:15 2008 IFCONFIG POOL: base=10.10.10.2 size=253, ipv6=0
Sun Aug 10 23:37:15 2008 MULTI: TCP INIT maxclients=60 maxevents=64
Sun Aug 10 23:37:15 2008 Initialization Sequence Completed
Sun Aug 10 23:38:08 2008 TCP connection established with [AF_INET]*:64899
Sun Aug 10 23:38:08 2008 *:64899 TLS: Initial packet from [AF_INET]:64899, sid=446c80f5 13612fd7
Sun Aug 10 23:38:12 2008 :64899 Connection reset, restarting [-1]
Sun Aug 10 23:38:12 2008 :64899 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sun Aug 10 23:38:17 2008 TCP connection established with [AF_INET]:13391
Sun Aug 10 23:38:17 2008 :13391 TLS: Initial packet from [AF_INET]:13391, sid=6eeeb1af a398df54
Sun Aug 10 23:38:21 2008 :13391 Connection reset, restarting [0]
Sun Aug 10 23:38:21 2008 :13391 SIGUSR1[soft,connection-reset] received, client-instance restarting
log Client:
Wed Jun 04 13:57:58 2014 Restart pause, 5 second(s)
Wed Jun 04 13:58:03 2014 Control Channel Authentication: using 'C:\OpenVPN\ssl\ta.key' as a OpenVPN static key file
Wed Jun 04 13:58:03 2014 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jun 04 13:58:03 2014 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jun 04 13:58:03 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jun 04 13:58:03 2014 Attempting to establish TCP connection with [AF_INET]:77
Wed Jun 04 13:58:03 2014 TCP connection established with [AF_INET]:77
Wed Jun 04 13:58:03 2014 TCPv4_CLIENT link local: [undef]
Wed Jun 04 13:58:03 2014 TCPv4_CLIENT link remote: [AF_INET]:77
Wed Jun 04 13:58:03 2014 TLS: Initial packet from [AF_INET]:77, sid=72b1fa2a 709e05d9
Wed Jun 04 13:58:04 2014 VERIFY ERROR: depth=0, error=unhandled critical extension: C=RU, ST=Murmansk Oblast, L=Murmansk, O=individual person, OU=IT, CN=allservice.pro, emailAddress=sergey-x@…, name=A, SN=Kh, GN=Sergey, title=The identification authenticity of the server VPN allservice.pro
Wed Jun 04 13:58:04 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Jun 04 13:58:04 2014 TLS Error: TLS object -> incoming plaintext read error
Wed Jun 04 13:58:04 2014 TLS Error: TLS handshake failed
Wed Jun 04 13:58:04 2014 Fatal TLS error (check_tls_errors_co), restarting
Wed Jun 04 13:58:04 2014 SIGUSR1[soft,tls-error] received, process restarting
Wed Jun 04 13:58:04 2014 Restart pause, 5 second(s)
Attachments (2)
Change History (3)
Changed 6 years ago by
Changed 6 years ago by
comment:1 Changed 6 years ago by
| Priority: | critical → minor |
|---|---|
| Resolution: | → notabug |
| Status: | new → closed |
Hi,
This does not seem to be a bug, but a configuration problem.
Your CA has a lot of extensions marked as critical:
X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign Netscape Cert Type: critical SSL CA, S/MIME CA Netscape Comment: critical statement of personal data: registration number: 51-13-000036, date of the statement in the register: 10.01.2013 Netscape CA Revocation Url: critical https://allservice.pro/ca-crl.crl Netscape Base Url: critical https://allservice.pro/certificates/ Netscape Revocation Url: critical https://allservice.pro/cancelled_certificates/ Netscape CA Policy Url: critical https://allservice.pro/ca_policy/ Netscape SSL Server Name: critical https://allservice.pro/OpenVPN won't accept a certificate if it doesn't know how to handle a critical extension.
Since this is a configuration problem, and not a bug, I'm closing the issue. If you need more help, please use the forums, #openvpn on freenode, or the openvpn-users mailinglist.