OpenVPN issue after 2.2.4 upgrade

bennyc

As a heads-up: I had a working setup, upgraded from 2.2.3 to 2.2.4, and it seems the upgrade broke something  :(

What I encountered:

Aug 4 19:11:55	openvpn[53459]: n.n.n.n:37396 TLS Error: TLS handshake failed
Aug 4 19:11:55	openvpn[53459]: n.n.n.n:37396 TLS Error: TLS object -> incoming plaintext read error
Aug 4 19:11:55	openvpn[53459]: n.n.n.n:37396 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Aug 4 19:11:55	openvpn[53459]: n.n.n.n:37396 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
Aug 4 19:10:53	openvpn[53459]: n.n.n.n:34134 TLS Error: TLS handshake failed
Aug 4 19:10:53	openvpn[53459]: n.n.n.n:34134 TLS Error: TLS object -> incoming plaintext read error
Aug 4 19:10:53	openvpn[53459]: n.n.n.n:34134 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Aug 4 19:10:53	openvpn[53459]: n.n.n.n:34134 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1

Didn't touch anything regarding setup…
Quick search revealed this: https://redmine.pfsense.org/issues/4329
But that didn't bring much to the party.

Further testing (and some help from my good friend google) showed the issue to be on the CN of the server cert, it contained a space. Recreating the CA, server cert, and client cert solved it. But now I have to do so & hand out for all users  >:(
Be warned, avoid spaces, even if it is year 2015 ::)

--edit: grammar--

jimp

Spaces in a CN have always been problematic, no matter the year. CN is meant to be something akin to a hostname or username in general.

Though I don't recall any changes between 2.2.3 and 2.2.4 that would have changed how they were handled.

Rezin

I had this issue too, even after creating new certificates etc…. the patch in this thread fixed it for me.

Edit: or did it? ??? I mean, I'm not having any issues connecting anymore, but may have been a strange coincidence.

johnpoz

I have no idea what you think that patch did? Was your issue because you had spaces in the CN?  I just looked at that thread and don't see what he is talking about in 2.2.4 does not show what is shows

[2.2.4-RELEASE][root@pfSense.local.lan]/root: php -v
PHP 5.5.27 (cgi-fcgi) (built: Jul 13 2015 19:15:15)
Copyright 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
    with Suhosin v0.9.37.1, Copyright (c) 2007-2014, by SektionEins GmbH

[2.2.4-RELEASE][root@pfSense.local.lan]/root: /usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "test.test&depth=2&certdepth=1&certsubject=C=US,"; echo; echo $?
OK
0
[2.2.4-RELEASE][root@pfSense.local.lan]/root:

I sure didn't deploy any patches. Or do anything with php.

Rezin

Yeah, not sure… I didn't get anything other than "OK \n 0", running that... but I couldn't connect the minute prior to (and a day or so) doing that change, then could straight afterwards.

Edit: CN was "internal-ca"