Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade to pfsense 2.3.5 (nanobsd) causes TLS authentication errors

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 584 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      benbeka
      last edited by

      I have an (aging) ALIX i386 nanobsd firewall that has been working correctly on 2.3.4, but on upgrading to 2.3.5 the roadwarrior clients can no longer connect. I'm using self generated certificates and the UDP protocol on port 1194.

      The error in the logs look like this:

      
      Nov 22 15:54:13 	openvpn 	14950 	xxx.xxx.xxx.xxx:13179 TLS Error: TLS handshake failed
      Nov 22 15:54:13 	openvpn 	14950 	xxx.xxx.xxx.xxx:13179 TLS Error: TLS object -> incoming plaintext read error
      Nov 22 15:54:13 	openvpn 	14950 	xxx.xxx.xxx.xxx:13179 TLS_ERROR: BIO read tls_read_plaintext error
      Nov 22 15:54:13 	openvpn 	14950 	xxx.xxx.xxx.xxx:13179 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
      Nov 22 15:54:13 	openvpn 	14950 	xxx.xxx.xxx.xxx:13179 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
      Nov 22 15:54:04 	openvpn 	14950 	Initialization Sequence Completed  
      
      

      If I change the Server Mode to "Remote Access (SSL/TLS)" instead of "Remote Access (SSL/TLS) + User Auth" AND also change the certificate depth to "Do not check" instead of "One (Client+Server)" then the users can connect. Obviously I'm not happy with this reduced level of security, but it's a workaround for now.

      As it was working properly before the upgrade I'm wondering what's changed? Have I missed something or is there a bug lurking?

      (My medium term solution is to replace this with newer hardware and run 2.4.x, but that won't be for a couple of months so I'd like to fix this if possible)

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • V
        v0lZy
        last edited by

        I have a simillar issue on an x86 which I have posted about in the forum before.
        For me the issue is only certificate depth checking… have this issue on 3 VMs.

        Anyone taking notice of this?
        Best regards,
        V

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.