OpenVPN cannot connect after the latest upgrade (2.3.11)
-
Hi,
I've upgraded all the packages of my PfSense box, and one of those packages is the OpenVPN server. After the upgrade I've noticed that clients cannot connect to box, and searching the way to fix the problem I've seen that is the certificate depth check.
My server is configured to use a CA+Server Certificate+Client Certificate and the cert depht is just one. It was working perfect with that configuration but after the upgrade it started to fail and I had to disable that check.
I'm sorry but I can't post the log because was rotated (I've to change that), but the error was a TLS error related to certs.
Now I've disabled that cert depth check and is working, but is strange because the cert depht showed in log is 1 and then 0…:May 20 09:05:02 AiMadrid openvpn[62307]: XX.XX.XX.XX:XXXX VERIFY OK: depth=1, C=ES, ST=Madrid, L=Madrid, O=AAA, emailAddress=AAA@AAA.com, CN=aaa.com May 20 09:05:02 AiMadrid openvpn[62307]: XX.XX.XX.XX:XXXX VERIFY OK: depth=0, C=ES, ST=Madrid, L=Madrid, O=AAA, emailAddress=AAA@AAA.com, CN=BBBBB
I think that first line is talking about the CA and the second about the Client Cert.
Someone knows a way to fix this?, because I want to keep the cert depht check active.
Thanks!!
-
huh, what is your question.. That sure looks like it checked the server, while also checking the client.. Which is depth 1. Other depths would be that it allows for intermediate CAs between the client cert and your CA.
That looks correct to me, I see the same in my logs..
May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=johnpoz
May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY SCRIPT OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=johnpoz
May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=openvpn
May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY SCRIPT OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=openvpn -
Thanks!!
That is the question. If the certificate depth is 1 why it fails when I set the depth check to 1.
There are not intermediate CA between the root CA and the client certificate, but the only way to make it work is disable the depth check. If I set the depth to one it fails, and I've tested all other depths and still failing.
It was working perfect until now with latest version, so I think that is any problem related with latest version.Greetings!!
-
Confused what you posted was it checked..
Can you post a failure? I am still on previous open, since have not update to 2.3.1 until I get home tonight. I don't want to risk updating while remote.. Normally I would but there was a thread about freerad not starting, and don't want to risk taking out the wifi while I am remote. Wife would kill me ;)
I am using 2.3.11 client, just pfsense version has not been bumped up until I update when I get home.
-
For now is working and I can't take a the log info (was cleared by pfSense), but next monday I'll try to make it fail for a while to get the logs.
Greetings!!
-
Hi,
I've set the Cert Depth Check to one, and this is what I get:
May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:50963, sid=69cb1a65 66299403
May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 WARNING: Failed running command (–tls-verify script): external program exited with error status: 1
May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 VERIFY SCRIPT ERROR: depth=1, C=ES, ST=Madrid, L=Madrid, O=Company, emailAddress=aaa@aaa.com, CN=bbb.com
May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS_ERROR: BIO read tls_read_plaintext error
May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS Error: TLS object -> incoming plaintext read error
May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS Error: TLS handshake failed
May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 SIGUSR1[soft,tls-error] received, client-instance restartingDisabling the Cert Depth Check it works fine again.
-
"SSL3_GET_CLIENT_CERTIFICATE:**no certificate returned[b/]"
Seems kind of heard to validate if there is no cert presented.**