OpenVPN asking for user Cert in ldap (user / pass) mode?
-
Here's some more info.
the OpenVPN Server conf is:
dev ovpns2 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 1.2.3.4 tls-server server 192.168.242.0 255.255.254.0 client-config-dir /var/etc/openvpn-csc client-cert-not-required username-as-common-name auth-user-pass-verify /var/etc/openvpn/server2.php via-env lport 1195 management /var/etc/openvpn/server2.sock unix max-clients 100 push "route 192.168.0.0 255.255.0.0" ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server2.tls-auth 0 comp-lzoThe client conf is:
dev tun persist-tun persist-key proto tcp-client cipher AES-256-CBC tls-client client resolv-retry infinite remote 1.2.3.4 1195 auth-user-pass ca firewall-TCP-1195-ca.crt tls-auth firewall-TCP-1195-tls.key 1 comp-lzoFY/i: I'm using the nonstandard port 1195 because a have a working instance (local auth with cert) running on 1194 so I can get back in to troubleshoot.
From the above, I see that a cert should not be required (client-cert-not-required). That stated, I am unaware why I see the following log sequence when attempting to connect.
Open VPN log:
Feb 7 19:00:15 openvpn[10095]: Re-using SSL/TLS context Feb 7 19:00:15 openvpn[10095]: LZO compression initialized Feb 7 19:00:15 openvpn[10095]: TCP connection established with [AF_INET]5.6.7.8:41648 Feb 7 19:00:15 openvpn[10095]: TCPv4_SERVER link local: [undef] Feb 7 19:00:15 openvpn[10095]: TCPv4_SERVER link remote: [AF_INET]71.203.129.198:41648 Feb 7 19:00:16 openvpn[10095]: 5.6.7.8:41648 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Feb 7 19:00:16 openvpn[10095]: 5.6.7.8:41648 TLS Error: TLS object -> incoming plaintext read error Feb 7 19:00:16 openvpn[10095]: 5.6.7.8:41648 TLS Error: TLS handshake failed Feb 7 19:00:16 openvpn[10095]: 5.6.7.8:41648 Fatal TLS error (check_tls_errors_co), restarting Feb 7 19:00:21 openvpn[10095]: Re-using SSL/TLS context Feb 7 19:00:21 openvpn[10095]: LZO compression initialized Feb 7 19:00:21 openvpn[10095]: TCP connection established with [AF_INET]5.6.7.8:4178 Feb 7 19:00:21 openvpn[10095]: TCPv4_SERVER link local: [undef] Feb 7 19:00:21 openvpn[10095]: TCPv4_SERVER link remote: [AF_INET]5.6.7.8:4178 Feb 7 19:00:21 openvpn[10095]: 5.6.7.8:4178 Connection reset, restarting [0]Also, I have done a diag -> authentication successfully, so I don't believe my ldap configuration is the issue
Any help would be appreciated!
Thanks all.
-
missing something in your client config. Did you use the client export?
configs on the firewall are in /var/etc/openvpn/*
-
Thanks. I found the path ( I always forget /var for some reason)
Yes I used the client export package, and I just recreated a new OpenVpn Service using udp and received the following in the ovpn file using client export.
dev tun
persist-tun
persist-key
proto udp
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote 1.2.3.4 1195
auth-user-pass
ca firewall-udp-1195-ca.crt
tls-auth firewall-udp-1195-tls.key 1
comp-lzoI'm going to go head off to the openVPN site to see if I can figure it out, but if you could post what's missing in the client config, that would be great.
If it helps, here's my working client config:
dev tun
persist-tun
persist-key
proto tcp-client
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote 1.2.3.4 1194
auth-user-pass
pkcs12 firewall-TCP-1194.p12
tls-auth firewall-TCP-1194-tls.key 1
comp-lzoThanks for the help.
-
Compare the contents of the CA cert the server and client are using, and the TLS key.
-
I believe the CA CRT and TLS keys match
here's what I did:
CA:
I downloaded the client config via the OpenVPN: Client Export Utility and then also manually downloaded the CA CRT via System: Certificate Authority Manager. I then hashed each.2AE9EC4FE11B22B465B87FE5ECD1445A020012CB – System: Certificate Authority Manager
2AE9EC4FE11B22B465B87FE5ECD1445A020012CB -- OpenVPN: Client Export UtilityTLS Key
I downloaded the client config via the OpenVPN: Client Export Utility and then also manually downloaded the TLS Key via OpenVpPN server: Cryptographic Settings -> TLS Authentication text box. I then hashed each.273278FA506EE49E05B8D9FF1693F34C2C48200C -- System: Certificate Authority Manager
273278FA506EE49E05B8D9FF1693F34C2C48200C -- OpenVPN: Client Export UtilityThen retesting the connection, I receive the following in the logs.
Client:
Tue Feb 08 09:14:09 2011 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010 Tue Feb 08 09:15:14 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Tue Feb 08 09:15:14 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue Feb 08 09:15:14 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Tue Feb 08 09:15:14 2011 Control Channel Authentication: using 'firewall-udp-1194-tls.key' as a OpenVPN static key file Tue Feb 08 09:15:14 2011 LZO compression initialized Tue Feb 08 09:15:14 2011 UDPv4 link local (bound): [undef]:1194 Tue Feb 08 09:15:14 2011 UDPv4 link remote: 1.2.3.4:1194 Tue Feb 08 09:15:14 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Tue Feb 08 09:16:15 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Feb 08 09:16:15 2011 TLS Error: TLS handshake failed Tue Feb 08 09:16:15 2011 SIGUSR1[soft,tls-error] received, process restarting Tue Feb 08 09:16:17 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Tue Feb 08 09:16:17 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue Feb 08 09:16:17 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Tue Feb 08 09:16:17 2011 Re-using SSL/TLS context Tue Feb 08 09:16:17 2011 LZO compression initialized Tue Feb 08 09:16:17 2011 UDPv4 link local (bound): [undef]:1194 Tue Feb 08 09:16:17 2011 UDPv4 link remote: 1.2.3.4:1194 Tue Feb 08 09:16:17 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Tue Feb 08 09:16:28 2011 SIGTERM[hard,] received, process exitingServer
Feb 8 08:58:26 openvpn[33499]: event_wait : Interrupted system call (code=4) Feb 8 08:58:26 openvpn[33499]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.240.1 192.168.240.2 init Feb 8 08:58:26 openvpn[33499]: SIGTERM[hard,] received, process exiting Feb 8 08:58:27 openvpn[6006]: OpenVPN 2.x-testing-ae1de75c0fa5 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [IPv6 payload 20100922-1] [MH] [PF_INET6] built on Feb 3 2011 Feb 8 08:58:27 openvpn[6006]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 8 08:58:27 openvpn[6006]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate Feb 8 08:58:27 openvpn[6006]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Feb 8 08:58:27 openvpn[6006]: TUN/TAP device /dev/tun1 opened Feb 8 08:58:27 openvpn[6006]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Feb 8 08:58:27 openvpn[6006]: /sbin/ifconfig ovpns1 192.168.240.1 192.168.240.2 mtu 1500 netmask 255.255.255.255 up Feb 8 08:58:27 openvpn[6006]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.240.1 192.168.240.2 init Feb 8 08:58:27 openvpn[10812]: UDPv4 link local (bound): [AF_INET]173.8.52.61:1194 Feb 8 08:58:27 openvpn[10812]: UDPv4 link remote: [undef] Feb 8 08:58:27 openvpn[10812]: Initialization Sequence Completed Feb 8 08:59:07 openvpn[10812]: 5.6.7.8:18099 Re-using SSL/TLS context Feb 8 08:59:07 openvpn[10812]: 5.6.7.8:18099 LZO compression initialized Feb 8 08:59:07 openvpn[10812]: 5.6.7.8:18099 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Feb 8 08:59:07 openvpn[10812]: 5.6.7.8:18099 TLS Error: TLS object -> incoming plaintext read error Feb 8 08:59:07 openvpn[10812]: 5.6.7.8:18099 TLS Error: TLS handshake failed Feb 8 09:14:38 openvpn[10812]: event_wait : Interrupted system call (code=4) Feb 8 09:14:38 openvpn[10812]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.240.1 192.168.240.2 init Feb 8 09:14:38 openvpn[10812]: SIGTERM[hard,] received, process exiting Feb 8 09:14:39 openvpn[12199]: OpenVPN 2.x-testing-ae1de75c0fa5 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [IPv6 payload 20100922-1] [MH] [PF_INET6] built on Feb 3 2011 Feb 8 09:14:39 openvpn[12199]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 8 09:14:39 openvpn[12199]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate Feb 8 09:14:39 openvpn[12199]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Feb 8 09:14:39 openvpn[12199]: TUN/TAP device /dev/tun1 opened Feb 8 09:14:39 openvpn[12199]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Feb 8 09:14:39 openvpn[12199]: /sbin/ifconfig ovpns1 192.168.240.1 192.168.240.2 mtu 1500 netmask 255.255.255.255 up Feb 8 09:14:39 openvpn[12199]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.240.1 192.168.240.2 init Feb 8 09:14:39 openvpn[13385]: UDPv4 link local (bound): [AF_INET]173.8.52.61:1194 Feb 8 09:14:39 openvpn[13385]: UDPv4 link remote: [undef] Feb 8 09:14:39 openvpn[13385]: Initialization Sequence Completed Feb 8 09:15:15 openvpn[13385]: 5.6.7.8:29107 Re-using SSL/TLS context Feb 8 09:15:15 openvpn[13385]: 5.6.7.8:29107 LZO compression initialized Feb 8 09:15:16 openvpn[13385]: 5.6.7.8:29107 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Feb 8 09:15:16 openvpn[13385]: 5.6.7.8:29107 TLS Error: TLS object -> incoming plaintext read error Feb 8 09:15:16 openvpn[13385]: 5.6.7.8:29107 TLS Error: TLS handshake failedAlso, I tried disabling TLS Authentication and received the same results.
-
Hi,
i got exact same issue after update to snapshot built on Tue Feb 8 05:33:31 EST 2011.
TLS Keys match.
I tryed a new configuration via wizard and client export utility but always same error occurs.
TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
EDIT:
Server option "client-cert-not-required" seems to be ignored. Error still there.
EDIT2:
i switched back to an older snapshot (built on Thu Jan 20 19:54:38 EST 2011) and it works fine for me.
cya
-
hmm, yeah that error seemingly indicates it's not taking the client-cert-not-required on the server side for some reason. It hasn't been long since I've done a LDAP OpenVPN setup and it worked fine, I'll try it again as soon as I have a chance.
-
@cmb:
hmm, yeah that error seemingly indicates it's not taking the client-cert-not-required on the server side for some reason. It hasn't been long since I've done a LDAP OpenVPN setup and it worked fine, I'll try it again as soon as I have a chance.
Any progress on this (no rush from my standpoint)? I can open a bug if you prefer so this issue doesn't get "lost".
Thanks again. -
this should be fixed in newer snapshots, believe it was OpenVPN version-related.
-
I can confirm the current snapshot is corrected and is functioning properly on the A64 build.