Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense 2.3: TLS handshake failed/ Failed running command (–tls-verify script)

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 6 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      So I was running 2.3RC, and upgraded to 2.3 Release and having no issues with openvpn..  Just fired up a connection via my phone and boom connected..

      Your problem is not the warning, but that fact that no cert was returned

      "SSL3_GET_CLIENT_CERTIFICATE:no certificate returned"

      
      2016-04-14 13:15:09 LZO-ASYM init swap=0 asym=0
      2016-04-14 13:15:09 EVENT: RESOLVE
      2016-04-14 13:15:09 Contacting 24.13.snipped:1194 via UDP
      2016-04-14 13:15:09 EVENT: WAIT
      2016-04-14 13:15:09 SetTunnelSocket returned 1
      2016-04-14 13:15:09 Connecting to 24.13.snipped:1194 (24.13.snipped) via UDPv4
      2016-04-14 13:15:09 EVENT: CONNECTING
      2016-04-14 13:15:09 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
      2016-04-14 13:15:09 Peer Info:
      IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
      IV_VER=3.0
      IV_PLAT=ios
      IV_NCP=1
      IV_LZO=1
      
      2016-04-14 13:15:09 VERIFY OK: depth=1
      cert. version    : 3
      serial number    : 00
      issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=openvpn
      subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=openvpn
      issued  on        : 2015-01-10 14:15:11
      expires on        : 2025-01-07 14:15:11
      signed using      : RSA with SHA-256
      RSA key size      : 2048 bits
      basic constraints : CA=true
      
      2016-04-14 13:15:09 VERIFY OK: depth=0
      cert. version    : 3
      serial number    : 01
      issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=openvpn
      subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped, CN=pfsenseopenvpn
      issued  on        : 2015-01-10 14:15:12
      expires on        : 2025-01-07 14:15:12
      signed using      : RSA with SHA-256
      RSA key size      : 2048 bits
      basic constraints : CA=false
      cert. type        : SSL Server
      key usage        : Digital Signature, Key Encipherment
      ext key usage    : TLS Web Server Authentication
      
      2016-04-14 13:15:11 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
      2016-04-14 13:15:11 Session is ACTIVE
      2016-04-14 13:15:11 EVENT: GET_CONFIG
      2016-04-14 13:15:11 Sending PUSH_REQUEST to server...
      2016-04-14 13:15:11 OPTIONS:
      0 [route] [192.168.9.0] [255.255.255.0]
      1 [route] [192.168.2.0] [255.255.255.0]
      2 [route] [192.168.3.0] [255.255.255.0]
      3 [dhcp-option] [DOMAIN] [local.lan]
      4 [dhcp-option] [DNS] [192.168.9.253]
      5 [route-gateway] [10.0.200.1]
      6 [topology] [subnet]
      7 [ping] [10]
      8 [ping-restart] [60]
      9 [ifconfig] [10.0.200.2] [255.255.255.0]
      
      2016-04-14 13:15:11 LZO-ASYM init swap=0 asym=0
      2016-04-14 13:15:11 EVENT: ASSIGN_IP
      2016-04-14 13:15:11 Connected via tun
      2016-04-14 13:15:11 EVENT: CONNECTED @24.13.snipped:1194 (24.13.snipped) via /UDPv4 on tun/10.0.200.2/
      2016-04-14 13:15:12 SetStatus Connected
      
      

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • B
        bennyc
        last edited by

        That looks very similar to what I have encountered a while ago, see: https://forum.pfsense.org/index.php?topic=97572.msg543520

        My issue was caused by a space in the certificate's CN. Any chance yours has one too? If not, I would anyway give it a try with recreating the server cert…

        4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
        1x PC Engines APU2C4, 1x PC Engines APU1C4

        1 Reply Last reply Reply Quote 0
        • P
          pfff
          last edited by

          Hi bennyc, thank you for the suggestion! I tried deleting and then recreating all the certs (CA, server, user) without any spaces or other punctuation marks but with the same errors unfortunately. I haven't been able to do any further testing since I posted because of work but will continue trying.

          1 Reply Last reply Reply Quote 0
          • E
            emel_punk
            last edited by

            So how is thing going?. I have installed Pfsense 2.2.6 and openvpn doesn't work, I cannot connect my clients. The error is

            
            Fri Apr 15 16:27:55 2016 us=478668 ACK mark active incoming ID 24
            Fri Apr 15 16:27:55 2016 us=478686 ACK acknowledge ID 24 (ack->len=1)
            Fri Apr 15 16:27:55 2016 us=478707 BIO write tls_write_ciphertext 100 bytes
            Fri Apr 15 16:27:55 2016 us=479154 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=CA, ST=bogota, L=bogota, O=mdc, emailAddress=info@mdc.com.co, CN=internal-ca
            Fri Apr 15 16:27:55 2016 us=479201 SSL alert (write): fatal: bad certificate
            Fri Apr 15 16:27:55 2016 us=479300 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
            Fri Apr 15 16:27:55 2016 us=479334 TLS Error: TLS object -> incoming plaintext read error
            Fri Apr 15 16:27:55 2016 us=479369 TLS Error: TLS handshake failed
            Fri Apr 15 16:27:55 2016 us=479411 PID packet_id_free
            Fri Apr 15 16:27:55 2016 us=479448 SSL alert (write): warning: close notify
            
            

            I do not have firewall problems or anything, I repeated the process a lot and I am stuck at it. Please help

            1 Reply Last reply Reply Quote 0
            • P
              pfff
              last edited by

              FYI I just reinstalled 2.3 and now it works as expected and as on 2.2.6. Something must have failed during the upgrade. Thank you for your help.

              1 Reply Last reply Reply Quote 0
              • V
                v0lZy
                last edited by

                Some necromancy seems to have brought this back from the depths of hell and is now pulling at my leg…

                Have a fresh pfSense install (2.4.2-RELEASE-p1 (amd64)) and I am encountering an issue with a self-signed setup. Here is what I'm seeing:

                1 - Created my own CA, created a CRL for said CA, created a server certificate issued by said CA, created a user certificate issued by said CA when creating my user.
                2 - Configured an OpenVPN server and set it to "Remote Access ( SSL/TLS + User Auth )", used said CA, CRL and server certificate.
                3 - Used 'OpenVPN Client Export' and grabbed the Archive for said user.
                4 - When connecting the VPN and after providing username and password, on pfSense I see:

                WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
                      OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
                      TLS_ERROR: BIO read tls_read_plaintext error
                      TLS Error: TLS object -> incoming plaintext read error
                      TLS Error: TLS handshake failed

                On the client side, I see timeouts and the VPN fails to establish.

                After hours of fighting with this issue I found this thread; I noted that my "Certificate Depth" was set to 'One (Client + Server)' and I was getting the above errors. I then changed "Certificate Depth" to "Do not check" and my issue went away.

                On older pfSense installations, I never had any problems with "Certificate Depth" set to "One (Client + Server)" so I assume this is some kind of a regression?

                Can anyone suggest how to keep "Certificate Detph" at "One (Client + Server)" and not have --tls-verify script fail?

                Best regards
                V

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  I have always run one for depth (client+server) and never had such issues.  I double checked my setting and yup running client+server with no connection issues.  Running 2.4.2_p1

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • V
                    v0lZy
                    last edited by

                    Is your installation fresh or a setup that was carried over?

                    Best regards,
                    V

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Well its fresh on my sg4860.. Upgrade to p1 from 2.4.2.. might of come with 2.4.0 that updated to 2.4.2 and then to p1.. Only had it a couple of weeks.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • V
                        v0lZy
                        last edited by

                        Experiencing this issue now on 3 VMs …
                        Quick glance at the forum says I'm not alone.

                        Was anyone able to work this out?
                        Best regards
                        V

                        1 Reply Last reply Reply Quote 0
                        • R
                          reswob10
                          last edited by

                          I had this same problem.  I tried a bunch of the solutions found from googling and such.

                          In my case, my NIC was bad. I swapped in a new NIC and the connection came up.

                          pfsense version didn't matter, client OS didn't matter.  NIC card fail.

                          6 hrs troubleshooting argh

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.