Opened 10 years ago
Last modified 9 years ago
#532 new Feature Wish
Misleading messages when trying to connect with an expired certificate
Reported by: | Schnouki | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.5 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
I recently tried to connect to my OpenVPN server with a client certificate that expired 2 weeks ago.
Of course it failed, but without giving any hint about what went wrong. In fact it even gave a very misleading piece of advice: "check your network connectivity".
Shortened version of the client log:
~ % sudo openvpn --cd /etc/openvpn --config /etc/openvpn/profile.conf -v6 [...] Fri Mar 20 16:29:48 2015 us=912819 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 2 2014 Fri Mar 20 16:29:48 2015 us=912837 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.09 Fri Mar 20 16:29:48 2015 us=916928 LZO compression initialized Fri Mar 20 16:29:48 2015 us=916959 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400) Fri Mar 20 16:29:48 2015 us=917049 Control Channel MTU parms [ L:1458 D:138 EF:38 EB:0 ET:0 EL:0 ] Fri Mar 20 16:29:48 2015 us=917106 Socket Buffers: R=[212992->131072] S=[212992->131072] Fri Mar 20 16:29:48 2015 us=917142 Data Channel MTU parms [ L:1458 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Fri Mar 20 16:29:48 2015 us=917174 Local Options String: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client' Fri Mar 20 16:29:48 2015 us=917190 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server' Fri Mar 20 16:29:48 2015 us=917212 Local Options hash (VER=V4): '4355902f' Fri Mar 20 16:29:48 2015 us=917226 Expected Remote Options hash (VER=V4): 'fa437c7c' Fri Mar 20 16:29:48 2015 us=917240 UDPv4 link local: [undef] Fri Mar 20 16:29:48 2015 us=917250 UDPv4 link remote: [AF_INET]1.2.3.4:1194 WRFri Mar 20 16:29:48 2015 us=936285 TLS: Initial packet from [AF_INET]1.2.3.4:1194, sid=57104f20 f5298bc8 WWWWRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRFri Mar 20 16:29:49 2015 us=120245 VERIFY OK: depth=1, /C=FR/ST=Region/L=City/O=Company/OU=Tech/CN=company_CA/emailAddress=root@company.com Fri Mar 20 16:29:49 2015 us=120396 VERIFY OK: nsCertType=SERVER Fri Mar 20 16:29:49 2015 us=120411 VERIFY X509NAME OK: /C=FR/ST=Region/O=company/OU=Tech/CN=1.2.3.4 Fri Mar 20 16:29:49 2015 us=120419 VERIFY OK: depth=0, /C=FR/ST=Region/O=company/OU=Tech/CN=1.2.3.4 WRWRWRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWWWWWWWWWWWWWWFri Mar 20 16:30:48 2015 us=999245 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri Mar 20 16:30:48 2015 us=999283 TLS Error: TLS handshake failed Fri Mar 20 16:30:48 2015 us=999487 TCP/UDP: Closing socket Fri Mar 20 16:30:48 2015 us=999525 SIGUSR1[soft,tls-error] received, process restarting Fri Mar 20 16:30:48 2015 us=999537 Restart pause, 2 second(s)
The server is running OpenVPN 2.3.2 on IPFire. I don't know what's in the server logs, but IMHO such an error should be reported on the client side anyway.
Thanks,
Thomas
Change History (3)
comment:2 Changed 10 years ago by
comment:3 Changed 9 years ago by
Priority: | major → minor |
---|---|
Type: | Bug / Defect → Feature Wish |
The only way this is a valid ticket is if it is a feature wish to have the server tell the client why it was rejected. I updated the ticket to a feature wish.
the server log will show it rejecting the client, and will have the reason why.