OpenVPN iOS unable to connect with latest version (PolarSSL issue)

jpk_pfsense · Jun 27, 2016, 6:18 PM

Since updating to the latest OpenVPN app on iOS (iPhone and iPad), version 1.0.7 build 199, I am unable to connect to my OpenVPN server on PFSense (2.3.1 Release on SG 2440). I've read on other sites that others are having similar issues, and OpenVPN folks seem to point to a certificate issue. But nothing has changed on my end. Here is the error I am getting:

2016-06-27 10:57:32 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the Certificate handshake message failed
2016-06-27 10:57:32 Client terminated, restarting in 2…

I have tried disabling "Minimum TLS version" in settings and also Force AES-CBC ciphersuites, which some had suggested on other sites. I am at a loss on what to fix in my certificate if that is truly the issue. There is not much in the server log, just this:

Jun 27 10:57:32 openvpn 19617 192.168.198.8:50016 Connection reset, restarting [0]
Jun 27 10:57:32 openvpn 19617 TCP connection established with [AF_INET]192.168.198.8:50016

Any suggestions from anyone? Thanks

AndrewZ · Jun 27, 2016, 6:33 PM

For me it just works - same app on iPad, AES-256-CBC, SHA256.
Self-signed CA and Certificate.

johnpoz · Jun 29, 2016, 3:37 PM

I just looked on my phone and its 1.0.5 build 177.. I don't show any updates for it.. But if look on itunes it shows 1.0.7.. Wonder why mine is not updating?

Happy to try and duplicate your problem.. But have to get updated to that build first ;)

edit: Ok just updated it to 1.0.7 build 199.. And connected just fine..

here is my log of the connection of a few minutes ago


2016-06-29 10:33:03 EVENT: RESOLVE
2016-06-29 10:33:03 Contacting 24.13.xxx.xxx:1194 via UDP
2016-06-29 10:33:03 EVENT: WAIT
2016-06-29 10:33:03 SetTunnelSocket returned 1
2016-06-29 10:33:03 Connecting to [24.13.xxx.xxx]:1194 (24.13.xxx.xxx) via UDPv4
2016-06-29 10:33:03 EVENT: CONNECTING
2016-06-29 10:33:03 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
2016-06-29 10:33:03 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199
IV_VER=3.0.11
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1

2016-06-29 10:33:03 VERIFY OK: depth=1
cert. version    : 3
serial number    : 00
issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=openvpn
subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=openvpn
issued  on        : 2015-01-10 14:15:11
expires on        : 2025-01-07 14:15:11
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true

2016-06-29 10:33:03 VERIFY OK: depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=openvpn
subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=pfsenseopenvpn
issued  on        : 2015-01-10 14:15:12
expires on        : 2025-01-07 14:15:12
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

2016-06-29 10:33:04 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
2016-06-29 10:33:04 Session is ACTIVE
2016-06-29 10:33:04 EVENT: GET_CONFIG
2016-06-29 10:33:04 Sending PUSH_REQUEST to server...
2016-06-29 10:33:04 OPTIONS:
0 [redirect-gateway] [def1]
1 [route] [192.168.9.0] [255.255.255.0]
2 [route] [192.168.2.0] [255.255.255.0]
3 [route] [192.168.3.0] [255.255.255.0]
4 [dhcp-option] [DOMAIN] [local.lan]
5 [dhcp-option] [DNS] [192.168.9.253]
6 [route-gateway] [10.0.200.1]
7 [topology] [subnet]
8 [ping] [10]
9 [ping-restart] [60]
10 [ifconfig] [10.0.200.2] [255.255.255.0]

2016-06-29 10:33:04 PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA256
  compress: LZO
  peer ID: -1
2016-06-29 10:33:04 EVENT: ASSIGN_IP
2016-06-29 10:33:04 Connected via tun
2016-06-29 10:33:04 EVENT: CONNECTED @24.13.xxx.xxx:1194 (24.13.xxx.xxx) via /UDPv4 on tun/10.0.200.2/
2016-06-29 10:33:04 LZO-ASYM init swap=0 asym=0
2016-06-29 10:33:04 SetStatus Connected

jpk_pfsense · Jul 3, 2016, 6:19 PM

Any suggestions here? We have not been able to connect for a month now! There is virtually nothing on the internet about this specific error (there is a lot about other PolarSSL though). I am at a loss on how to resolve…

Derelict · Jul 3, 2016, 7:30 PM

I had to re-export my profile but that could have been 1 of 100 things I might have changed since the last time I used it. I was stupid and didn't try it before I updated from 1.0.5.

I guess PM me the certificate export for the cert you are using for the server and the CA that signed it. No private keys, just the certs. And maybe the client certificate if you're using them.

And the connection logs from the server and the OpenVPN client.

jpk_pfsense · Jul 3, 2016, 7:53 PM

@Derelict:

I had to re-export my profile but that could have been 1 of 100 things I might have changed since the last time I used it. I was stupid and didn't try it before I updated from 1.0.5.

I guess PM me the certificate export for the cert you are using for the server and the CA that signed it. No private keys, just the certs. And maybe the client certificate if you're using them.

And the connection logs from the server and the OpenVPN client.

Thank you. PM Sent

jpk_pfsense · Jul 4, 2016, 1:30 AM

OK, this is now working thanks to the help of Derelict. The issue was my certificate in my VPN Server had two problems 1) It was not a server cert 2) Did not have the same CN as my user cert. I fixed these and now it is working. Why it worked before, not sure.

johnpoz · Jul 4, 2016, 12:28 PM

Most likely it wasn't… And you thought it was.. Not going to work with those 2 issues you described..