id summary reporter owner description type status priority milestone component version severity resolution keywords cc 532 Misleading messages when trying to connect with an expired certificate Schnouki "I recently tried to connect to my OpenVPN server with a client certificate that expired 2 weeks ago. Of course it failed, but without giving any hint about what went wrong. In fact it even gave a very misleading piece of advice: ""check your network connectivity"". Shortened version of the client log: {{{ ~ % sudo openvpn --cd /etc/openvpn --config /etc/openvpn/profile.conf -v6 [...] Fri Mar 20 16:29:48 2015 us=912819 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 2 2014 Fri Mar 20 16:29:48 2015 us=912837 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.09 Fri Mar 20 16:29:48 2015 us=916928 LZO compression initialized Fri Mar 20 16:29:48 2015 us=916959 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400) Fri Mar 20 16:29:48 2015 us=917049 Control Channel MTU parms [ L:1458 D:138 EF:38 EB:0 ET:0 EL:0 ] Fri Mar 20 16:29:48 2015 us=917106 Socket Buffers: R=[212992->131072] S=[212992->131072] Fri Mar 20 16:29:48 2015 us=917142 Data Channel MTU parms [ L:1458 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Fri Mar 20 16:29:48 2015 us=917174 Local Options String: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client' Fri Mar 20 16:29:48 2015 us=917190 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server' Fri Mar 20 16:29:48 2015 us=917212 Local Options hash (VER=V4): '4355902f' Fri Mar 20 16:29:48 2015 us=917226 Expected Remote Options hash (VER=V4): 'fa437c7c' Fri Mar 20 16:29:48 2015 us=917240 UDPv4 link local: [undef] Fri Mar 20 16:29:48 2015 us=917250 UDPv4 link remote: [AF_INET]1.2.3.4:1194 WRFri Mar 20 16:29:48 2015 us=936285 TLS: Initial packet from [AF_INET]1.2.3.4:1194, sid=57104f20 f5298bc8 WWWWRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRFri Mar 20 16:29:49 2015 us=120245 VERIFY OK: depth=1, /C=FR/ST=Region/L=City/O=Company/OU=Tech/CN=company_CA/emailAddress=root@company.com Fri Mar 20 16:29:49 2015 us=120396 VERIFY OK: nsCertType=SERVER Fri Mar 20 16:29:49 2015 us=120411 VERIFY X509NAME OK: /C=FR/ST=Region/O=company/OU=Tech/CN=1.2.3.4 Fri Mar 20 16:29:49 2015 us=120419 VERIFY OK: depth=0, /C=FR/ST=Region/O=company/OU=Tech/CN=1.2.3.4 WRWRWRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWWWWWWWWWWWWWWFri Mar 20 16:30:48 2015 us=999245 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri Mar 20 16:30:48 2015 us=999283 TLS Error: TLS handshake failed Fri Mar 20 16:30:48 2015 us=999487 TCP/UDP: Closing socket Fri Mar 20 16:30:48 2015 us=999525 SIGUSR1[soft,tls-error] received, process restarting Fri Mar 20 16:30:48 2015 us=999537 Restart pause, 2 second(s) }}} The server is running OpenVPN 2.3.2 on IPFire. I don't know what's in the server logs, but IMHO such an error should be reported on the client side anyway. Thanks, Thomas" Feature Wish new minor Generic / unclassified OpenVPN 2.3.5 (Community Ed) Not set (select this one, unless your'e a OpenVPN developer)