id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
742,Windows client self-signed sha256 certificate verify failed,vitaliy69,Samuli Seppänen,"I generate certificates for OpenVPN server manually using this [https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto] instruction with vars file ([https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example]). Use SHA256 algorithm.
Install them, server successfully restarted.
However, Windows client cannot connect to server:
''Wed Sep 28 12:41:46 2016 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016
Wed Sep 28 12:41:46 2016 Windows version 6.1 (Windows 7) 64bit
Wed Sep 28 12:41:46 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Enter Management Password:
Wed Sep 28 12:41:47 2016 UDPv4 link local: [undef]
Wed Sep 28 12:41:47 2016 UDPv4 link remote: [AF_INET]5.167.100.107:1194
Wed Sep 28 12:41:49 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=OpenVPN CA
Wed Sep 28 12:41:49 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 28 12:41:49 2016 TLS_ERROR: BIO read tls_read_plaintext error
Wed Sep 28 12:41:49 2016 TLS Error: TLS object -> incoming plaintext read error
Wed Sep 28 12:41:49 2016 TLS Error: TLS handshake failed
Wed Sep 28 12:41:49 2016 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep 28 12:41:51 2016 UDPv4 link local: [undef]
Wed Sep 28 12:41:51 2016 UDPv4 link remote: [AF_INET]5.167.100.107:1194
Wed Sep 28 12:41:51 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=OpenVPN CA
Wed Sep 28 12:41:51 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 28 12:41:51 2016 TLS_ERROR: BIO read tls_read_plaintext error
Wed Sep 28 12:41:51 2016 TLS Error: TLS object -> incoming plaintext read error
Wed Sep 28 12:41:51 2016 TLS Error: TLS handshake failed
Wed Sep 28 12:41:51 2016 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep 28 12:41:52 2016 SIGTERM[hard,init_instance] received, process exiting''
With SHA1 certificates no any problems.
SHA256 certificates works fine under Linux OS.
OpenVPN server from Asus Merlin firmware, client configuration:
''client
dev tun
proto udp
remote somehost.asuscomm.com 1194
float
cipher AES-256-CBC
auth SHA256
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
resolv-retry infinite
nobind''
",Bug / Defect,closed,major,release 2.3.14,Generic / unclassified,OpenVPN 2.3.12 (Community Ed),"Not set (select this one, unless your'e a OpenVPN developer)",fixed,,