Opened 8 years ago
Closed 7 years ago
#742 closed Bug / Defect (fixed)
Windows client self-signed sha256 certificate verify failed
| Reported by: | vitaliy69 | Owned by: | Samuli Seppänen |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.3.14 |
| Component: | Generic / unclassified | Version: | OpenVPN 2.3.12 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
I generate certificates for OpenVPN server manually using this https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto instruction with vars file (https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example). Use SHA256 algorithm.
Install them, server successfully restarted.
However, Windows client cannot connect to server:
Wed Sep 28 12:41:46 2016 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016
Wed Sep 28 12:41:46 2016 Windows version 6.1 (Windows 7) 64bit
Wed Sep 28 12:41:46 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Enter Management Password:
Wed Sep 28 12:41:47 2016 UDPv4 link local: [undef]
Wed Sep 28 12:41:47 2016 UDPv4 link remote: [AF_INET]5.167.100.107:1194
Wed Sep 28 12:41:49 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=OpenVPN CA
Wed Sep 28 12:41:49 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 28 12:41:49 2016 TLS_ERROR: BIO read tls_read_plaintext error
Wed Sep 28 12:41:49 2016 TLS Error: TLS object -> incoming plaintext read error
Wed Sep 28 12:41:49 2016 TLS Error: TLS handshake failed
Wed Sep 28 12:41:49 2016 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep 28 12:41:51 2016 UDPv4 link local: [undef]
Wed Sep 28 12:41:51 2016 UDPv4 link remote: [AF_INET]5.167.100.107:1194
Wed Sep 28 12:41:51 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=OpenVPN CA
Wed Sep 28 12:41:51 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 28 12:41:51 2016 TLS_ERROR: BIO read tls_read_plaintext error
Wed Sep 28 12:41:51 2016 TLS Error: TLS object -> incoming plaintext read error
Wed Sep 28 12:41:51 2016 TLS Error: TLS handshake failed
Wed Sep 28 12:41:51 2016 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep 28 12:41:52 2016 SIGTERM[hard,init_instance] received, process exiting
With SHA1 certificates no any problems.
SHA256 certificates works fine under Linux OS.
OpenVPN server from Asus Merlin firmware, client configuration:
client
dev tun
proto udp
remote somehost.asuscomm.com 1194
float
cipher AES-256-CBC
auth SHA256
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
resolv-retry infinite
nobind
Change History (7)
comment:1 Changed 8 years ago by
| Cc: | Samuli Seppänen added |
|---|
comment:2 Changed 8 years ago by
Linux client version: OpenSSL 1.0.2j-fips 26 Sep 2016
Linux server version (on router): OpenSSL 1.0.2j 26 Sep 2016
comment:3 Changed 7 years ago by
| Milestone: | → release 2.3.14 |
|---|---|
| Version: | 2.2.2 → 2.3.12 |
@mattock: can we manage OpenSSL 1.0.2 for 2.3.14 release? Shouldn't be that complicated...
comment:5 Changed 7 years ago by
| Cc: | Samuli Seppänen removed |
|---|---|
| Owner: | set to Samuli Seppänen |
| Status: | new → assigned |
comment:7 Changed 7 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Yes, we bundle OpenSSL 1.0.2 with Windows installers now.
What openssl version is used on Linux? (see "openvpn --version")
Maybe SHA256 signatures require 1.0.2 openssl...