TLS handshake error (pfsense 2.0)
-
Hi, I have set up remote access OpenVPN and it works fine, but suddenly today everyone is getting the following message.
Wed May 25 11:14:48 2011 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011 Wed May 25 11:14:56 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed May 25 11:14:56 2011 Control Channel Authentication: using 'tls.key' as a OpenVPN static key file Wed May 25 11:14:56 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed May 25 11:14:56 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed May 25 11:14:56 2011 LZO compression initialized Wed May 25 11:14:56 2011 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Wed May 25 11:14:56 2011 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed May 25 11:14:56 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Wed May 25 11:14:56 2011 Local Options hash (VER=V4): '504e774e' Wed May 25 11:14:56 2011 Expected Remote Options hash (VER=V4): '14168603' Wed May 25 11:14:56 2011 UDPv4 link local: [undef] Wed May 25 11:14:56 2011 UDPv4 link remote: xx.xx.xx.xx:1194 Wed May 25 11:14:56 2011 TLS: Initial packet from xx.xx.xx.xx:1194, sid=990a296d 00a03198 Wed May 25 11:14:56 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Wed May 25 11:14:57 2011 VERIFY OK: depth=1, /C=UK/ST=Hackney/L=London/O=XXXXX/emailAddress=info@XXXXX.org.uk/CN=internal-ca Wed May 25 11:14:57 2011 VERIFY nsCertType ERROR: /C=UK/ST=Hackney/L=London/O=XXXXX/emailAddress=info@XXXXX.uk/CN=internal-ca, require nsCertType=SERVER Wed May 25 11:14:57 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Wed May 25 11:14:57 2011 TLS Error: TLS object -> incoming plaintext read error Wed May 25 11:14:57 2011 TLS Error: TLS handshake failed Wed May 25 11:14:57 2011 TCP/UDP: Closing socket Wed May 25 11:14:57 2011 SIGUSR1[soft,tls-error] received, process restarting
I don't understand why this is happening, TLS is not enabled on the server and the client config is as follows:
client dev tun proto udp remote XX.XX.XX.XX 1194 ping 10 resolv-retry infinite nobind persist-key persist-tun ca Internal-CA.crt cert username1.crt key username1.key ns-cert-type server comp-lzo pull verb 3 auth-user-pass
I've tried redownloading the CA cert and the user's key and user's cert, but it still says same thing.
Here's the server config:
dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher BF-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local XX.XX.XX.XX tls-server server 192.168.200.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 20 push "route 10.0.0.0 255.0.0.0" push "dhcp-option DOMAIN XXXXXX.org.uk" push "dhcp-option DNS 10.2.1.2" push "dhcp-option DNS 10.2.1.3" push "dhcp-option WINS 10.2.1.2" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 comp-lzo persist-remote-ip float
-
Take this line out of the client:
ns-cert-type server
See if that works.
-
Aziz or anyone that has this issue. I have the same issue at times. Did Jimp suggestion work?
Jimp, what is the file and path to configuration file to remove "ns-cert-type server" ?
-
Jimp, what is the file and path to configuration file to remove "ns-cert-type server" ?
That depends on the OS of the client. If it's windows, just right click the running client icon, and choose 'edit config'.
-
Oh sorry. I running PFSense 2rc3 at both end. One end is server and the other is client and using TLS authenication. I noticed Azis is not. Would I still need to remove that one statement?
-
Jimp, I saw a few posting where members that have this issue switched protocol from UDP to TCP to resolve the problem. Is their any disadvantages to this? Will their be any extra overhead and performance loss by doing this?
-
"ns-cert-type server" is not inserted by any pfSense code - if you have that in a client config, you must have put it in custom options.
UDP works fine, TCP can cause performance degredation.
-
Thanks Jimp. I tried it in TCP, definitely saw noticeable performance degradation.
The settings that Aziz posted below for the client and server config, what file and where is it located on the pfsense that i can check on.
-
Jimp, I found config file on client pfsense and it does not have "ns-cert-type server". Since it does not have ""ns-cert-type server" and I am still getting "TLS Error: TLS key negotiation failed to occurr within 60 seconds (check your network connectivity)" error at time, do you have any other suggestions?
-
Then start a new thread because your problem is unrelated to this thread.