OpenVPN cannot connect after the latest upgrade (2.3.11)



  • Hi,

    I've upgraded all the packages of my PfSense box, and one of those packages is the OpenVPN server. After the upgrade I've noticed that clients cannot connect to box, and searching the way to fix the problem I've seen that is the certificate depth check.

    My server is configured to use a CA+Server Certificate+Client Certificate and the cert depht is just one. It was working perfect with that configuration but after the upgrade it started to fail and I had to disable that check.

    I'm sorry but I can't post the log because was rotated (I've to change that), but the error was a TLS error related to certs.
    Now I've disabled that cert depth check and is working, but is strange because the cert depht showed in log is 1 and then 0…:

    May 20 09:05:02 AiMadrid openvpn[62307]: XX.XX.XX.XX:XXXX VERIFY OK: depth=1, C=ES, ST=Madrid, L=Madrid, O=AAA, emailAddress=AAA@AAA.com, CN=aaa.com
    May 20 09:05:02 AiMadrid openvpn[62307]: XX.XX.XX.XX:XXXX VERIFY OK: depth=0, C=ES, ST=Madrid, L=Madrid, O=AAA, emailAddress=AAA@AAA.com, CN=BBBBB
    

    I think that first line is talking about the CA and the second about the Client Cert.

    Someone knows a way to fix this?, because I want to keep the cert depht check active.

    Thanks!!


  • LAYER 8 Global Moderator

    huh, what is your question.. That sure looks like it checked the server, while also checking the client.. Which is depth 1.  Other depths would be that it allows for intermediate CAs between the client cert and your CA.

    That looks correct to me, I see the same in my logs..

    May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=johnpoz
    May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY SCRIPT OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=johnpoz
    May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=openvpn
    May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY SCRIPT OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=openvpn



  • Thanks!!

    That is the question. If the certificate depth is 1 why it fails when I set the depth check to 1.
    There are not intermediate CA between the root CA and the client certificate, but the only way to make it work is disable the depth check. If I set the depth to one it fails, and I've tested all other depths and still failing.
    It was working perfect until now with latest version, so I think that is any problem related with latest version.

    Greetings!!


  • LAYER 8 Global Moderator

    Confused what you posted was it checked..

    Can you post a failure?  I am still on previous open, since have not update to 2.3.1 until I get home tonight.  I don't want to risk updating while remote.. Normally I would but there was a thread about freerad not starting, and don't want to risk taking out the wifi while I am remote.  Wife would kill me ;)

    I am using 2.3.11 client, just pfsense version has not been bumped up until I update when I get home.



  • For now is working and I can't take a the log info (was cleared by pfSense), but next monday I'll try to make it fail for a while to get the logs.

    Greetings!!



  • Hi,

    I've set the Cert Depth Check to one, and this is what I get:

    May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:50963, sid=69cb1a65 66299403
    May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 WARNING: Failed running command (–tls-verify script): external program exited with error status: 1
    May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 VERIFY SCRIPT ERROR: depth=1, C=ES, ST=Madrid, L=Madrid, O=Company, emailAddress=aaa@aaa.com, CN=bbb.com
    May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS_ERROR: BIO read tls_read_plaintext error
    May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS Error: TLS object -> incoming plaintext read error
    May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS Error: TLS handshake failed
    May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 SIGUSR1[soft,tls-error] received, client-instance restarting

    Disabling the Cert Depth Check it works fine again.


  • LAYER 8 Global Moderator

    "SSL3_GET_CLIENT_CERTIFICATE:**no certificate returned[b/]"

    Seems kind of heard to validate if there is no cert presented.**


Log in to reply