OpenVPN iOS unable to connect with latest version (PolarSSL issue)



  • Since updating to the latest OpenVPN app on iOS (iPhone and iPad), version 1.0.7 build 199, I am unable to connect to my OpenVPN server on PFSense (2.3.1 Release on SG 2440). I've read on other sites that others are having similar issues, and OpenVPN folks seem to point to a certificate issue. But nothing has changed on my end. Here is the error I am getting:

    2016-06-27 10:57:32 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the Certificate handshake message failed
    2016-06-27 10:57:32 Client terminated, restarting in 2…

    I have tried disabling "Minimum TLS version" in settings and also Force AES-CBC ciphersuites, which some had suggested on other sites. I am at a loss on what to fix in my certificate if that is truly the issue. There is not much in the server log, just this:

    Jun 27 10:57:32 openvpn 19617 192.168.198.8:50016 Connection reset, restarting [0]
    Jun 27 10:57:32 openvpn 19617 TCP connection established with [AF_INET]192.168.198.8:50016

    Any suggestions from anyone? Thanks



  • For me it just works - same app on iPad, AES-256-CBC, SHA256.
    Self-signed CA and Certificate.


  • LAYER 8 Global Moderator

    I just looked on my phone and its 1.0.5 build 177..  I don't show any updates for it.. But if look on itunes it shows 1.0.7.. Wonder why mine is not updating?

    Happy to try and duplicate your problem.. But have to get updated to that build first ;)

    edit:  Ok just updated it to 1.0.7 build 199.. And connected just fine..

    here is my log of the connection of a few minutes ago

    
    2016-06-29 10:33:03 EVENT: RESOLVE
    2016-06-29 10:33:03 Contacting 24.13.xxx.xxx:1194 via UDP
    2016-06-29 10:33:03 EVENT: WAIT
    2016-06-29 10:33:03 SetTunnelSocket returned 1
    2016-06-29 10:33:03 Connecting to [24.13.xxx.xxx]:1194 (24.13.xxx.xxx) via UDPv4
    2016-06-29 10:33:03 EVENT: CONNECTING
    2016-06-29 10:33:03 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
    2016-06-29 10:33:03 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199
    IV_VER=3.0.11
    IV_PLAT=ios
    IV_NCP=2
    IV_TCPNL=1
    IV_PROTO=2
    IV_LZO=1
    
    2016-06-29 10:33:03 VERIFY OK: depth=1
    cert. version    : 3
    serial number    : 00
    issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=openvpn
    subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=openvpn
    issued  on        : 2015-01-10 14:15:11
    expires on        : 2025-01-07 14:15:11
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=true
    
    2016-06-29 10:33:03 VERIFY OK: depth=0
    cert. version    : 3
    serial number    : 01
    issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=openvpn
    subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=pfsenseopenvpn
    issued  on        : 2015-01-10 14:15:12
    expires on        : 2025-01-07 14:15:12
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=false
    cert. type        : SSL Server
    key usage        : Digital Signature, Key Encipherment
    ext key usage    : TLS Web Server Authentication
    
    2016-06-29 10:33:04 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
    2016-06-29 10:33:04 Session is ACTIVE
    2016-06-29 10:33:04 EVENT: GET_CONFIG
    2016-06-29 10:33:04 Sending PUSH_REQUEST to server...
    2016-06-29 10:33:04 OPTIONS:
    0 [redirect-gateway] [def1]
    1 [route] [192.168.9.0] [255.255.255.0]
    2 [route] [192.168.2.0] [255.255.255.0]
    3 [route] [192.168.3.0] [255.255.255.0]
    4 [dhcp-option] [DOMAIN] [local.lan]
    5 [dhcp-option] [DNS] [192.168.9.253]
    6 [route-gateway] [10.0.200.1]
    7 [topology] [subnet]
    8 [ping] [10]
    9 [ping-restart] [60]
    10 [ifconfig] [10.0.200.2] [255.255.255.0]
    
    2016-06-29 10:33:04 PROTOCOL OPTIONS:
      cipher: AES-256-CBC
      digest: SHA256
      compress: LZO
      peer ID: -1
    2016-06-29 10:33:04 EVENT: ASSIGN_IP
    2016-06-29 10:33:04 Connected via tun
    2016-06-29 10:33:04 EVENT: CONNECTED @24.13.xxx.xxx:1194 (24.13.xxx.xxx) via /UDPv4 on tun/10.0.200.2/
    2016-06-29 10:33:04 LZO-ASYM init swap=0 asym=0
    2016-06-29 10:33:04 SetStatus Connected
    
    


  • Any suggestions here? We have not been able to connect for a month now! There is virtually nothing on the internet about this specific error (there is a lot about other PolarSSL though). I am at a loss on how to resolve…


  • LAYER 8 Netgate

    I had to re-export my profile but that could have been 1 of 100 things I might have changed since the last time I used it. I was stupid and didn't try it before I updated from 1.0.5.

    I guess PM me the certificate export for the cert you are using for the server and the CA that signed it. No private keys, just the certs. And maybe the client certificate if you're using them.

    And the connection logs from the server and the OpenVPN client.



  • @Derelict:

    I had to re-export my profile but that could have been 1 of 100 things I might have changed since the last time I used it. I was stupid and didn't try it before I updated from 1.0.5.

    I guess PM me the certificate export for the cert you are using for the server and the CA that signed it. No private keys, just the certs. And maybe the client certificate if you're using them.

    And the connection logs from the server and the OpenVPN client.

    Thank you. PM Sent



  • OK, this is now working thanks to the help of Derelict. The issue was my certificate in my VPN Server had two problems 1) It was not a server cert 2) Did not have the same CN as my user cert. I fixed these and now it is working. Why it worked before, not sure.


  • LAYER 8 Global Moderator

    Most likely it wasn't… And you thought it was.. Not going to work with those 2 issues you described..


Log in to reply