OpenVPN iOS unable to connect with latest version (PolarSSL issue)
-
Since updating to the latest OpenVPN app on iOS (iPhone and iPad), version 1.0.7 build 199, I am unable to connect to my OpenVPN server on PFSense (2.3.1 Release on SG 2440). I've read on other sites that others are having similar issues, and OpenVPN folks seem to point to a certificate issue. But nothing has changed on my end. Here is the error I am getting:
2016-06-27 10:57:32 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the Certificate handshake message failed
2016-06-27 10:57:32 Client terminated, restarting in 2…I have tried disabling "Minimum TLS version" in settings and also Force AES-CBC ciphersuites, which some had suggested on other sites. I am at a loss on what to fix in my certificate if that is truly the issue. There is not much in the server log, just this:
Jun 27 10:57:32 openvpn 19617 192.168.198.8:50016 Connection reset, restarting [0]
Jun 27 10:57:32 openvpn 19617 TCP connection established with [AF_INET]192.168.198.8:50016Any suggestions from anyone? Thanks
-
For me it just works - same app on iPad, AES-256-CBC, SHA256.
Self-signed CA and Certificate. -
I just looked on my phone and its 1.0.5 build 177.. I don't show any updates for it.. But if look on itunes it shows 1.0.7.. Wonder why mine is not updating?
Happy to try and duplicate your problem.. But have to get updated to that build first ;)
edit: Ok just updated it to 1.0.7 build 199.. And connected just fine..
here is my log of the connection of a few minutes ago
2016-06-29 10:33:03 EVENT: RESOLVE 2016-06-29 10:33:03 Contacting 24.13.xxx.xxx:1194 via UDP 2016-06-29 10:33:03 EVENT: WAIT 2016-06-29 10:33:03 SetTunnelSocket returned 1 2016-06-29 10:33:03 Connecting to [24.13.xxx.xxx]:1194 (24.13.xxx.xxx) via UDPv4 2016-06-29 10:33:03 EVENT: CONNECTING 2016-06-29 10:33:03 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client 2016-06-29 10:33:03 Peer Info: IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199 IV_VER=3.0.11 IV_PLAT=ios IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_LZO=1 2016-06-29 10:33:03 VERIFY OK: depth=1 cert. version : 3 serial number : 00 issuer name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=openvpn subject name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=openvpn issued on : 2015-01-10 14:15:11 expires on : 2025-01-07 14:15:11 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true 2016-06-29 10:33:03 VERIFY OK: depth=0 cert. version : 3 serial number : 01 issuer name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=openvpn subject name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.tld, CN=pfsenseopenvpn issued on : 2015-01-10 14:15:12 expires on : 2025-01-07 14:15:12 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false cert. type : SSL Server key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication 2016-06-29 10:33:04 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 2016-06-29 10:33:04 Session is ACTIVE 2016-06-29 10:33:04 EVENT: GET_CONFIG 2016-06-29 10:33:04 Sending PUSH_REQUEST to server... 2016-06-29 10:33:04 OPTIONS: 0 [redirect-gateway] [def1] 1 [route] [192.168.9.0] [255.255.255.0] 2 [route] [192.168.2.0] [255.255.255.0] 3 [route] [192.168.3.0] [255.255.255.0] 4 [dhcp-option] [DOMAIN] [local.lan] 5 [dhcp-option] [DNS] [192.168.9.253] 6 [route-gateway] [10.0.200.1] 7 [topology] [subnet] 8 [ping] [10] 9 [ping-restart] [60] 10 [ifconfig] [10.0.200.2] [255.255.255.0] 2016-06-29 10:33:04 PROTOCOL OPTIONS: cipher: AES-256-CBC digest: SHA256 compress: LZO peer ID: -1 2016-06-29 10:33:04 EVENT: ASSIGN_IP 2016-06-29 10:33:04 Connected via tun 2016-06-29 10:33:04 EVENT: CONNECTED @24.13.xxx.xxx:1194 (24.13.xxx.xxx) via /UDPv4 on tun/10.0.200.2/ 2016-06-29 10:33:04 LZO-ASYM init swap=0 asym=0 2016-06-29 10:33:04 SetStatus Connected
-
Any suggestions here? We have not been able to connect for a month now! There is virtually nothing on the internet about this specific error (there is a lot about other PolarSSL though). I am at a loss on how to resolve…
-
I had to re-export my profile but that could have been 1 of 100 things I might have changed since the last time I used it. I was stupid and didn't try it before I updated from 1.0.5.
I guess PM me the certificate export for the cert you are using for the server and the CA that signed it. No private keys, just the certs. And maybe the client certificate if you're using them.
And the connection logs from the server and the OpenVPN client.
-
I had to re-export my profile but that could have been 1 of 100 things I might have changed since the last time I used it. I was stupid and didn't try it before I updated from 1.0.5.
I guess PM me the certificate export for the cert you are using for the server and the CA that signed it. No private keys, just the certs. And maybe the client certificate if you're using them.
And the connection logs from the server and the OpenVPN client.
Thank you. PM Sent
-
OK, this is now working thanks to the help of Derelict. The issue was my certificate in my VPN Server had two problems 1) It was not a server cert 2) Did not have the same CN as my user cert. I fixed these and now it is working. Why it worked before, not sure.
-
Most likely it wasn't… And you thought it was.. Not going to work with those 2 issues you described..