When Certificate Revocation List is defined in openvpnserver clients get 'TLS key negotiation failed to occur within 60 seconds'
-
Community edition 2.6.0-RELEASE (amd64)
If the OpenVPN server has any value except 'none' defined for the certificate revocation list then clients get this :
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restartingServer openlog says -
OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed"
VERIFY ERROR: depth=0, error=CRL has expired: CN=xxx, C=US, ST=xx, L=xxxx, O=xxx, serial=2
LS Error: TLS handshake failed
Error: TLS object -> incoming plaintext read error
TLS_ERROR: BIO read tls_read_plaintext errorI have tried recreating a second certificate revocation list but still see this issue. This was not an issue I have seen prior to updating to pfsense 2.6
For now the work-around method I have been having to use is to leave the certifice revocation setting to "none" and delete revoked certificates from the Certificate Manager to prevent unauthorized access
-
@nospam
Maybe this helps: https://redmine.pfsense.org/issues/13424