Opened 4 years ago

Closed 3 years ago

#742 closed Bug / Defect (fixed)

Windows client self-signed sha256 certificate verify failed

Reported by: vitaliy69 Owned by: Samuli Seppänen
Priority: major Milestone: release 2.3.14
Component: Generic / unclassified Version: OpenVPN 2.3.12 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

I generate certificates for OpenVPN server manually using this https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto instruction with vars file (https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example). Use SHA256 algorithm.

Install them, server successfully restarted.

However, Windows client cannot connect to server:

Wed Sep 28 12:41:46 2016 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016
Wed Sep 28 12:41:46 2016 Windows version 6.1 (Windows 7) 64bit
Wed Sep 28 12:41:46 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Enter Management Password:
Wed Sep 28 12:41:47 2016 UDPv4 link local: [undef]
Wed Sep 28 12:41:47 2016 UDPv4 link remote: [AF_INET]5.167.100.107:1194
Wed Sep 28 12:41:49 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=OpenVPN CA
Wed Sep 28 12:41:49 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 28 12:41:49 2016 TLS_ERROR: BIO read tls_read_plaintext error
Wed Sep 28 12:41:49 2016 TLS Error: TLS object -> incoming plaintext read error
Wed Sep 28 12:41:49 2016 TLS Error: TLS handshake failed
Wed Sep 28 12:41:49 2016 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep 28 12:41:51 2016 UDPv4 link local: [undef]
Wed Sep 28 12:41:51 2016 UDPv4 link remote: [AF_INET]5.167.100.107:1194
Wed Sep 28 12:41:51 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=OpenVPN CA
Wed Sep 28 12:41:51 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 28 12:41:51 2016 TLS_ERROR: BIO read tls_read_plaintext error
Wed Sep 28 12:41:51 2016 TLS Error: TLS object -> incoming plaintext read error
Wed Sep 28 12:41:51 2016 TLS Error: TLS handshake failed
Wed Sep 28 12:41:51 2016 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep 28 12:41:52 2016 SIGTERM[hard,init_instance] received, process exiting

With SHA1 certificates no any problems.

SHA256 certificates works fine under Linux OS.

OpenVPN server from Asus Merlin firmware, client configuration:

client
dev tun
proto udp
remote somehost.asuscomm.com 1194
float
cipher AES-256-CBC
auth SHA256
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
<ca>


...


</ca>
<cert>


...


</cert>
<key>


...


</key>
resolv-retry infinite
nobind

Change History (7)

comment:1 Changed 4 years ago by Gert Döring

Cc: Samuli Seppänen added

What openssl version is used on Linux? (see "openvpn --version")

Maybe SHA256 signatures require 1.0.2 openssl...

comment:2 Changed 4 years ago by vitaliy69

Linux client version: OpenSSL 1.0.2j-fips 26 Sep 2016
Linux server version (on router): OpenSSL 1.0.2j 26 Sep 2016

comment:3 Changed 4 years ago by Gert Döring

Milestone: release 2.3.14
Version: 2.2.22.3.12

@mattock: can we manage OpenSSL 1.0.2 for 2.3.14 release? Shouldn't be that complicated...

comment:4 Changed 4 years ago by Samuli Seppänen

@cron: yes I can.

comment:5 Changed 4 years ago by Gert Döring

Cc: Samuli Seppänen removed
Owner: set to Samuli Seppänen
Status: newassigned

comment:6 Changed 3 years ago by Gert Döring

done?

comment:7 Changed 3 years ago by Samuli Seppänen

Resolution: fixed
Status: assignedclosed

Yes, we bundle OpenSSL 1.0.2 with Windows installers now.

Note: See TracTickets for help on using tickets.