TLS handshake error (pfsense 2.0)

Aziz

Hi, I have set up remote access OpenVPN and it works fine, but suddenly today everyone is getting the following message.

Wed May 25 11:14:48 2011 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
Wed May 25 11:14:56 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed May 25 11:14:56 2011 Control Channel Authentication: using 'tls.key' as a OpenVPN static key file
Wed May 25 11:14:56 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 25 11:14:56 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 25 11:14:56 2011 LZO compression initialized
Wed May 25 11:14:56 2011 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed May 25 11:14:56 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 25 11:14:56 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 25 11:14:56 2011 Local Options hash (VER=V4): '504e774e'
Wed May 25 11:14:56 2011 Expected Remote Options hash (VER=V4): '14168603'
Wed May 25 11:14:56 2011 UDPv4 link local: [undef]
Wed May 25 11:14:56 2011 UDPv4 link remote: xx.xx.xx.xx:1194
Wed May 25 11:14:56 2011 TLS: Initial packet from xx.xx.xx.xx:1194, sid=990a296d 00a03198
Wed May 25 11:14:56 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed May 25 11:14:57 2011 VERIFY OK: depth=1, /C=UK/ST=Hackney/L=London/O=XXXXX/emailAddress=info@XXXXX.org.uk/CN=internal-ca
Wed May 25 11:14:57 2011 VERIFY nsCertType ERROR: /C=UK/ST=Hackney/L=London/O=XXXXX/emailAddress=info@XXXXX.uk/CN=internal-ca, require nsCertType=SERVER
Wed May 25 11:14:57 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed May 25 11:14:57 2011 TLS Error: TLS object -> incoming plaintext read error
Wed May 25 11:14:57 2011 TLS Error: TLS handshake failed
Wed May 25 11:14:57 2011 TCP/UDP: Closing socket
Wed May 25 11:14:57 2011 SIGUSR1[soft,tls-error] received, process restarting

I don't understand why this is happening, TLS is not enabled on the server and the client config is as follows:

client
dev tun
proto udp
remote XX.XX.XX.XX 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca Internal-CA.crt
cert username1.crt
key username1.key
ns-cert-type server
comp-lzo
pull
verb 3
auth-user-pass

I've tried redownloading the CA cert and the user's key and user's cert, but it still says same thing.

Here's the server config:

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local XX.XX.XX.XX
tls-server
server 192.168.200.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 20
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DOMAIN XXXXXX.org.uk"
push "dhcp-option DNS 10.2.1.2"
push "dhcp-option DNS 10.2.1.3"
push "dhcp-option WINS 10.2.1.2"
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.1024
comp-lzo
persist-remote-ip
float

jimp

Take this line out of the client:

ns-cert-type server

See if that works.

probie

Aziz or anyone that has this issue.  I have the same issue at times.  Did Jimp suggestion work?

Jimp, what is the file and path to configuration file to remove "ns-cert-type server" ?

jimp

@probie:

Jimp, what is the file and path to configuration file to remove "ns-cert-type server" ?

That depends on the OS of the client. If it's windows, just right click the running client icon, and choose 'edit config'.

probie

Oh sorry.  I running PFSense 2rc3 at both end.  One end is server and the other is client and using TLS authenication.  I noticed Azis is not.  Would I still need to remove that one statement?

probie

Jimp, I saw a few posting where members that have this issue switched protocol from UDP to TCP to resolve the problem.  Is their any disadvantages to this?  Will their be any extra overhead and performance loss by doing this?

jimp

"ns-cert-type server" is not inserted by any pfSense code - if you have that in a client config, you must have put it in custom options.

UDP works fine, TCP can cause performance degredation.

probie

Thanks Jimp.  I tried it in TCP, definitely saw noticeable performance degradation.

The settings that Aziz posted below for the client and server config, what file and where is it located on the pfsense that i can check on.

probie

Jimp, I found config file on client pfsense and it does not have "ns-cert-type server".  Since it does not have ""ns-cert-type server" and I am still getting "TLS Error: TLS key negotiation failed to occurr within 60 seconds (check your network connectivity)" error at time, do you have any other suggestions?

jimp

Then start a new thread because your problem is unrelated to this thread.