Opened 6 years ago

Last modified 5 years ago

#532 new Feature Wish

Misleading messages when trying to connect with an expired certificate

Reported by: Schnouki Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.5 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

I recently tried to connect to my OpenVPN server with a client certificate that expired 2 weeks ago.

Of course it failed, but without giving any hint about what went wrong. In fact it even gave a very misleading piece of advice: "check your network connectivity".

Shortened version of the client log:

~ % sudo openvpn --cd /etc/openvpn --config /etc/openvpn/profile.conf -v6
[...]
Fri Mar 20 16:29:48 2015 us=912819 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014
Fri Mar 20 16:29:48 2015 us=912837 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.09
Fri Mar 20 16:29:48 2015 us=916928 LZO compression initialized
Fri Mar 20 16:29:48 2015 us=916959 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Fri Mar 20 16:29:48 2015 us=917049 Control Channel MTU parms [ L:1458 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Mar 20 16:29:48 2015 us=917106 Socket Buffers: R=[212992->131072] S=[212992->131072]
Fri Mar 20 16:29:48 2015 us=917142 Data Channel MTU parms [ L:1458 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Mar 20 16:29:48 2015 us=917174 Local Options String: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Fri Mar 20 16:29:48 2015 us=917190 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Fri Mar 20 16:29:48 2015 us=917212 Local Options hash (VER=V4): '4355902f'
Fri Mar 20 16:29:48 2015 us=917226 Expected Remote Options hash (VER=V4): 'fa437c7c'
Fri Mar 20 16:29:48 2015 us=917240 UDPv4 link local: [undef]
Fri Mar 20 16:29:48 2015 us=917250 UDPv4 link remote: [AF_INET]1.2.3.4:1194
WRFri Mar 20 16:29:48 2015 us=936285 TLS: Initial packet from [AF_INET]1.2.3.4:1194, sid=57104f20 f5298bc8
WWWWRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRFri Mar 20 16:29:49 2015 us=120245 VERIFY OK: depth=1, /C=FR/ST=Region/L=City/O=Company/OU=Tech/CN=company_CA/emailAddress=root@company.com
Fri Mar 20 16:29:49 2015 us=120396 VERIFY OK: nsCertType=SERVER
Fri Mar 20 16:29:49 2015 us=120411 VERIFY X509NAME OK: /C=FR/ST=Region/O=company/OU=Tech/CN=1.2.3.4
Fri Mar 20 16:29:49 2015 us=120419 VERIFY OK: depth=0, /C=FR/ST=Region/O=company/OU=Tech/CN=1.2.3.4
WRWRWRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWWWWWWWWWWWWWWFri Mar 20 16:30:48 2015 us=999245 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Mar 20 16:30:48 2015 us=999283 TLS Error: TLS handshake failed
Fri Mar 20 16:30:48 2015 us=999487 TCP/UDP: Closing socket
Fri Mar 20 16:30:48 2015 us=999525 SIGUSR1[soft,tls-error] received, process restarting
Fri Mar 20 16:30:48 2015 us=999537 Restart pause, 2 second(s)

The server is running OpenVPN 2.3.2 on IPFire. I don't know what's in the server logs, but IMHO such an error should be reported on the client side anyway.

Thanks,
Thomas

Change History (3)

comment:1 Changed 6 years ago by krzee king

Last edited 6 years ago by krzee king (previous) (diff)

comment:2 Changed 6 years ago by krzee king

the server log will show it rejecting the client, and will have the reason why.

comment:3 Changed 5 years ago by krzee king

Priority: majorminor
Type: Bug / DefectFeature Wish

The only way this is a valid ticket is if it is a feature wish to have the server tell the client why it was rejected. I updated the ticket to a feature wish.

Note: See TracTickets for help on using tickets.