Upgrade to pfsense 2.3.5 (nanobsd) causes TLS authentication errors



  • I have an (aging) ALIX i386 nanobsd firewall that has been working correctly on 2.3.4, but on upgrading to 2.3.5 the roadwarrior clients can no longer connect. I'm using self generated certificates and the UDP protocol on port 1194.

    The error in the logs look like this:

    
    Nov 22 15:54:13 	openvpn 	14950 	xxx.xxx.xxx.xxx:13179 TLS Error: TLS handshake failed
    Nov 22 15:54:13 	openvpn 	14950 	xxx.xxx.xxx.xxx:13179 TLS Error: TLS object -> incoming plaintext read error
    Nov 22 15:54:13 	openvpn 	14950 	xxx.xxx.xxx.xxx:13179 TLS_ERROR: BIO read tls_read_plaintext error
    Nov 22 15:54:13 	openvpn 	14950 	xxx.xxx.xxx.xxx:13179 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Nov 22 15:54:13 	openvpn 	14950 	xxx.xxx.xxx.xxx:13179 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
    Nov 22 15:54:04 	openvpn 	14950 	Initialization Sequence Completed  
    
    

    If I change the Server Mode to "Remote Access (SSL/TLS)" instead of "Remote Access (SSL/TLS) + User Auth" AND also change the certificate depth to "Do not check" instead of "One (Client+Server)" then the users can connect. Obviously I'm not happy with this reduced level of security, but it's a workaround for now.

    As it was working properly before the upgrade I'm wondering what's changed? Have I missed something or is there a bug lurking?

    (My medium term solution is to replace this with newer hardware and run 2.4.x, but that won't be for a couple of months so I'd like to fix this if possible)

    Thanks in advance.



  • I have a simillar issue on an x86 which I have posted about in the forum before.
    For me the issue is only certificate depth checking… have this issue on 3 VMs.

    Anyone taking notice of this?
    Best regards,
    V