1. Home
  2. pfSense® Software
  3. Retired
  4. 2.0-RC Snapshot Feedback and Problems - RETIRED
  5. OpenVPN asking for user Cert in ldap (user / pass) mode?

OpenVPN asking for user Cert in ldap (user / pass) mode?

  • W

    All:

    When running in ldap user / pass mode, I am unable to connect and the openvpn logs show:

    openvpn[44818]: 32.163.191.169:3478 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

    If I use local mode and use key /user / pass, everything works fine.

    This ih happening on the latest build as of this posting.

    also, where is the openvpn conf file stored on pfaense?

    FYI:  this is amd64.

    Thanks,

    0
  • W

    Here's some more info.

    the OpenVPN Server conf is:

    
dev ovpns2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 1.2.3.4
tls-server
server 192.168.242.0 255.255.254.0
client-config-dir /var/etc/openvpn-csc
client-cert-not-required
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server2.php via-env
lport 1195
management /var/etc/openvpn/server2.sock unix
max-clients 100
push "route 192.168.0.0 255.255.0.0"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo

    The client conf is:

    
dev tun
persist-tun
persist-key
proto tcp-client
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote 1.2.3.4 1195
auth-user-pass
ca firewall-TCP-1195-ca.crt
tls-auth firewall-TCP-1195-tls.key 1
comp-lzo

    FY/i:  I'm using the nonstandard port 1195 because a have a working instance (local auth with cert) running on 1194 so I can get back in to troubleshoot.

    From the above, I see that a cert should not be required (client-cert-not-required).  That stated, I am unaware why I see the following log sequence when attempting to connect.

    Open VPN log:

    
Feb 7 19:00:15 	openvpn[10095]: Re-using SSL/TLS context
Feb 7 19:00:15 	openvpn[10095]: LZO compression initialized
Feb 7 19:00:15 	openvpn[10095]: TCP connection established with [AF_INET]5.6.7.8:41648
Feb 7 19:00:15 	openvpn[10095]: TCPv4_SERVER link local: [undef]
Feb 7 19:00:15 	openvpn[10095]: TCPv4_SERVER link remote: [AF_INET]71.203.129.198:41648
Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 TLS Error: TLS object -> incoming plaintext read error
Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 TLS Error: TLS handshake failed
Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 Fatal TLS error (check_tls_errors_co), restarting
Feb 7 19:00:21 	openvpn[10095]: Re-using SSL/TLS context
Feb 7 19:00:21 	openvpn[10095]: LZO compression initialized
Feb 7 19:00:21 	openvpn[10095]: TCP connection established with [AF_INET]5.6.7.8:4178
Feb 7 19:00:21 	openvpn[10095]: TCPv4_SERVER link local: [undef]
Feb 7 19:00:21 	openvpn[10095]: TCPv4_SERVER link remote: [AF_INET]5.6.7.8:4178
Feb 7 19:00:21 	openvpn[10095]: 5.6.7.8:4178 Connection reset, restarting [0]

    Also, I have done a diag -> authentication successfully, so I don't believe my ldap configuration is the issue

    Any help would be appreciated!

    Thanks all.

    0
  • C

    missing something in your client config. Did you use the client export?

    configs on the firewall are in  /var/etc/openvpn/*

    0
  • W

    Thanks.   I found the path ( I always forget /var for some reason)

    Yes I used the client export package, and I just recreated a new OpenVpn Service using udp and received the following in the ovpn file using client export.

    dev tun
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    tls-client
    client
    resolv-retry infinite
    remote 1.2.3.4 1195
    auth-user-pass
    ca firewall-udp-1195-ca.crt
    tls-auth firewall-udp-1195-tls.key 1
    comp-lzo

    I'm going to go head off to the openVPN site to see if I can figure it out, but if you could post what's missing in the client config, that would be great.

    If it helps, here's my working client config:

    dev tun
    persist-tun
    persist-key
    proto tcp-client
    cipher AES-256-CBC
    tls-client
    client
    resolv-retry infinite
    remote 1.2.3.4 1194
    auth-user-pass
    pkcs12 firewall-TCP-1194.p12
    tls-auth firewall-TCP-1194-tls.key 1
    comp-lzo

    Thanks for the help.

    0
  • C

    Compare the contents of the CA cert the server and client are using, and the TLS key.

    0
  • W

    I believe the  CA CRT and TLS keys match

    here's what I did:

    CA:
    I downloaded the client config via the OpenVPN: Client Export Utility and then also manually downloaded the CA CRT via System: Certificate Authority Manager.  I then hashed each.

    2AE9EC4FE11B22B465B87FE5ECD1445A020012CB – System: Certificate Authority Manager
    2AE9EC4FE11B22B465B87FE5ECD1445A020012CB -- OpenVPN: Client Export Utility

    TLS Key
    I downloaded the client config via the OpenVPN: Client Export Utility and then also manually downloaded the TLS Key via OpenVpPN server: Cryptographic Settings -> TLS Authentication text box.  I then hashed each.

    273278FA506EE49E05B8D9FF1693F34C2C48200C -- System: Certificate Authority Manager
    273278FA506EE49E05B8D9FF1693F34C2C48200C -- OpenVPN: Client Export Utility

    Then retesting the connection, I receive the following in the logs.

    Client:

    
Tue Feb 08 09:14:09 2011 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Tue Feb 08 09:15:14 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Feb 08 09:15:14 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 08 09:15:14 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb 08 09:15:14 2011 Control Channel Authentication: using 'firewall-udp-1194-tls.key' as a OpenVPN static key file
Tue Feb 08 09:15:14 2011 LZO compression initialized
Tue Feb 08 09:15:14 2011 UDPv4 link local (bound): [undef]:1194
Tue Feb 08 09:15:14 2011 UDPv4 link remote: 1.2.3.4:1194
Tue Feb 08 09:15:14 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 08 09:16:15 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Feb 08 09:16:15 2011 TLS Error: TLS handshake failed
Tue Feb 08 09:16:15 2011 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 08 09:16:17 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Feb 08 09:16:17 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 08 09:16:17 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb 08 09:16:17 2011 Re-using SSL/TLS context
Tue Feb 08 09:16:17 2011 LZO compression initialized
Tue Feb 08 09:16:17 2011 UDPv4 link local (bound): [undef]:1194
Tue Feb 08 09:16:17 2011 UDPv4 link remote: 1.2.3.4:1194
Tue Feb 08 09:16:17 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 08 09:16:28 2011 SIGTERM[hard,] received, process exiting

    Server

    
Feb 8 08:58:26 	openvpn[33499]: event_wait : Interrupted system call (code=4)
Feb 8 08:58:26 	openvpn[33499]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
Feb 8 08:58:26 	openvpn[33499]: SIGTERM[hard,] received, process exiting
Feb 8 08:58:27 	openvpn[6006]: OpenVPN 2.x-testing-ae1de75c0fa5 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [IPv6 payload 20100922-1] [MH] [PF_INET6] built on Feb 3 2011
Feb 8 08:58:27 	openvpn[6006]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 8 08:58:27 	openvpn[6006]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Feb 8 08:58:27 	openvpn[6006]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Feb 8 08:58:27 	openvpn[6006]: TUN/TAP device /dev/tun1 opened
Feb 8 08:58:27 	openvpn[6006]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 8 08:58:27 	openvpn[6006]: /sbin/ifconfig ovpns1 192.168.240.1 192.168.240.2 mtu 1500 netmask 255.255.255.255 up
Feb 8 08:58:27 	openvpn[6006]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
Feb 8 08:58:27 	openvpn[10812]: UDPv4 link local (bound): [AF_INET]173.8.52.61:1194
Feb 8 08:58:27 	openvpn[10812]: UDPv4 link remote: [undef]
Feb 8 08:58:27 	openvpn[10812]: Initialization Sequence Completed
Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 Re-using SSL/TLS context
Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 LZO compression initialized
Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 TLS Error: TLS object -> incoming plaintext read error
Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 TLS Error: TLS handshake failed
Feb 8 09:14:38 	openvpn[10812]: event_wait : Interrupted system call (code=4)
Feb 8 09:14:38 	openvpn[10812]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
Feb 8 09:14:38 	openvpn[10812]: SIGTERM[hard,] received, process exiting
Feb 8 09:14:39 	openvpn[12199]: OpenVPN 2.x-testing-ae1de75c0fa5 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [IPv6 payload 20100922-1] [MH] [PF_INET6] built on Feb 3 2011
Feb 8 09:14:39 	openvpn[12199]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 8 09:14:39 	openvpn[12199]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Feb 8 09:14:39 	openvpn[12199]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Feb 8 09:14:39 	openvpn[12199]: TUN/TAP device /dev/tun1 opened
Feb 8 09:14:39 	openvpn[12199]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 8 09:14:39 	openvpn[12199]: /sbin/ifconfig ovpns1 192.168.240.1 192.168.240.2 mtu 1500 netmask 255.255.255.255 up
Feb 8 09:14:39 	openvpn[12199]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
Feb 8 09:14:39 	openvpn[13385]: UDPv4 link local (bound): [AF_INET]173.8.52.61:1194
Feb 8 09:14:39 	openvpn[13385]: UDPv4 link remote: [undef]
Feb 8 09:14:39 	openvpn[13385]: Initialization Sequence Completed
Feb 8 09:15:15 	openvpn[13385]: 5.6.7.8:29107 Re-using SSL/TLS context
Feb 8 09:15:15 	openvpn[13385]: 5.6.7.8:29107 LZO compression initialized
Feb 8 09:15:16 	openvpn[13385]: 5.6.7.8:29107 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Feb 8 09:15:16 	openvpn[13385]: 5.6.7.8:29107 TLS Error: TLS object -> incoming plaintext read error
Feb 8 09:15:16 	openvpn[13385]: 5.6.7.8:29107 TLS Error: TLS handshake failed

    Also, I tried disabling TLS Authentication and received the same results.

    0
  • S

    Hi,

    i got exact same issue after update to snapshot built on Tue Feb 8 05:33:31 EST 2011.

    TLS Keys match.

    I tryed a new configuration via wizard and client export utility but always same error occurs.

    TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

    EDIT:

    Server option "client-cert-not-required" seems to be ignored. Error still there.

    EDIT2:

    i switched back to an older snapshot (built on Thu Jan 20 19:54:38 EST 2011) and it works fine for me.

    cya

    0
  • C

    hmm, yeah that error seemingly indicates it's not taking the client-cert-not-required on the server side for some reason. It hasn't been long since I've done a LDAP OpenVPN setup and it worked fine, I'll try it again as soon as I have a chance.

    0
  • W

    @cmb:

    hmm, yeah that error seemingly indicates it's not taking the client-cert-not-required on the server side for some reason. It hasn't been long since I've done a LDAP OpenVPN setup and it worked fine, I'll try it again as soon as I have a chance.

    Any progress on this (no rush from my standpoint)?    I can open a bug if you prefer so this issue doesn't get "lost".
    Thanks again.

    0
  • C

    this should be fixed in newer snapshots, believe it was OpenVPN version-related.

    0
  • W

    I can confirm the current snapshot is corrected and is functioning properly on the A64 build.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy