OpenVPN asking for user Cert in ldap (user / pass) mode?



  • All:

    When running in ldap user / pass mode, I am unable to connect and the openvpn logs show:

    openvpn[44818]: 32.163.191.169:3478 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

    If I use local mode and use key /user / pass, everything works fine.

    This ih happening on the latest build as of this posting.

    also, where is the openvpn conf file stored on pfaense?

    FYI:  this is amd64.

    Thanks,



  • Here's some more info.

    the OpenVPN Server conf is:

    
    dev ovpns2
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 1.2.3.4
    tls-server
    server 192.168.242.0 255.255.254.0
    client-config-dir /var/etc/openvpn-csc
    client-cert-not-required
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server2.php via-env
    lport 1195
    management /var/etc/openvpn/server2.sock unix
    max-clients 100
    push "route 192.168.0.0 255.255.0.0"
    ca /var/etc/openvpn/server2.ca
    cert /var/etc/openvpn/server2.cert
    key /var/etc/openvpn/server2.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo
    
    

    The client conf is:

    
    dev tun
    persist-tun
    persist-key
    proto tcp-client
    cipher AES-256-CBC
    tls-client
    client
    resolv-retry infinite
    remote 1.2.3.4 1195
    auth-user-pass
    ca firewall-TCP-1195-ca.crt
    tls-auth firewall-TCP-1195-tls.key 1
    comp-lzo
    
    

    FY/i:  I'm using the nonstandard port 1195 because a have a working instance (local auth with cert) running on 1194 so I can get back in to troubleshoot.

    From the above, I see that a cert should not be required (client-cert-not-required).  That stated, I am unaware why I see the following log sequence when attempting to connect.

    Open VPN log:

    
    Feb 7 19:00:15 	openvpn[10095]: Re-using SSL/TLS context
    Feb 7 19:00:15 	openvpn[10095]: LZO compression initialized
    Feb 7 19:00:15 	openvpn[10095]: TCP connection established with [AF_INET]5.6.7.8:41648
    Feb 7 19:00:15 	openvpn[10095]: TCPv4_SERVER link local: [undef]
    Feb 7 19:00:15 	openvpn[10095]: TCPv4_SERVER link remote: [AF_INET]71.203.129.198:41648
    Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
    Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 TLS Error: TLS object -> incoming plaintext read error
    Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 TLS Error: TLS handshake failed
    Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 Fatal TLS error (check_tls_errors_co), restarting
    Feb 7 19:00:21 	openvpn[10095]: Re-using SSL/TLS context
    Feb 7 19:00:21 	openvpn[10095]: LZO compression initialized
    Feb 7 19:00:21 	openvpn[10095]: TCP connection established with [AF_INET]5.6.7.8:4178
    Feb 7 19:00:21 	openvpn[10095]: TCPv4_SERVER link local: [undef]
    Feb 7 19:00:21 	openvpn[10095]: TCPv4_SERVER link remote: [AF_INET]5.6.7.8:4178
    Feb 7 19:00:21 	openvpn[10095]: 5.6.7.8:4178 Connection reset, restarting [0]
    
    

    Also, I have done a diag -> authentication successfully, so I don't believe my ldap configuration is the issue

    Any help would be appreciated!

    Thanks all.



  • missing something in your client config. Did you use the client export?

    configs on the firewall are in  /var/etc/openvpn/*



  • Thanks.   I found the path ( I always forget /var for some reason)

    Yes I used the client export package, and I just recreated a new OpenVpn Service using udp and received the following in the ovpn file using client export.

    dev tun
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    tls-client
    client
    resolv-retry infinite
    remote 1.2.3.4 1195
    auth-user-pass
    ca firewall-udp-1195-ca.crt
    tls-auth firewall-udp-1195-tls.key 1
    comp-lzo

    I'm going to go head off to the openVPN site to see if I can figure it out, but if you could post what's missing in the client config, that would be great.

    If it helps, here's my working client config:

    dev tun
    persist-tun
    persist-key
    proto tcp-client
    cipher AES-256-CBC
    tls-client
    client
    resolv-retry infinite
    remote 1.2.3.4 1194
    auth-user-pass
    pkcs12 firewall-TCP-1194.p12
    tls-auth firewall-TCP-1194-tls.key 1
    comp-lzo

    Thanks for the help.



  • Compare the contents of the CA cert the server and client are using, and the TLS key.



  • I believe the  CA CRT and TLS keys match

    here's what I did:

    CA:
    I downloaded the client config via the OpenVPN: Client Export Utility and then also manually downloaded the CA CRT via System: Certificate Authority Manager.  I then hashed each.

    2AE9EC4FE11B22B465B87FE5ECD1445A020012CB – System: Certificate Authority Manager
    2AE9EC4FE11B22B465B87FE5ECD1445A020012CB -- OpenVPN: Client Export Utility

    TLS Key
    I downloaded the client config via the OpenVPN: Client Export Utility and then also manually downloaded the TLS Key via OpenVpPN server: Cryptographic Settings -> TLS Authentication text box.  I then hashed each.

    273278FA506EE49E05B8D9FF1693F34C2C48200C -- System: Certificate Authority Manager
    273278FA506EE49E05B8D9FF1693F34C2C48200C -- OpenVPN: Client Export Utility

    Then retesting the connection, I receive the following in the logs.

    Client:

    
    Tue Feb 08 09:14:09 2011 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
    Tue Feb 08 09:15:14 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Tue Feb 08 09:15:14 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Tue Feb 08 09:15:14 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Tue Feb 08 09:15:14 2011 Control Channel Authentication: using 'firewall-udp-1194-tls.key' as a OpenVPN static key file
    Tue Feb 08 09:15:14 2011 LZO compression initialized
    Tue Feb 08 09:15:14 2011 UDPv4 link local (bound): [undef]:1194
    Tue Feb 08 09:15:14 2011 UDPv4 link remote: 1.2.3.4:1194
    Tue Feb 08 09:15:14 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue Feb 08 09:16:15 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Tue Feb 08 09:16:15 2011 TLS Error: TLS handshake failed
    Tue Feb 08 09:16:15 2011 SIGUSR1[soft,tls-error] received, process restarting
    Tue Feb 08 09:16:17 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Tue Feb 08 09:16:17 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Tue Feb 08 09:16:17 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Tue Feb 08 09:16:17 2011 Re-using SSL/TLS context
    Tue Feb 08 09:16:17 2011 LZO compression initialized
    Tue Feb 08 09:16:17 2011 UDPv4 link local (bound): [undef]:1194
    Tue Feb 08 09:16:17 2011 UDPv4 link remote: 1.2.3.4:1194
    Tue Feb 08 09:16:17 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue Feb 08 09:16:28 2011 SIGTERM[hard,] received, process exiting
    
    

    Server

    
    Feb 8 08:58:26 	openvpn[33499]: event_wait : Interrupted system call (code=4)
    Feb 8 08:58:26 	openvpn[33499]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
    Feb 8 08:58:26 	openvpn[33499]: SIGTERM[hard,] received, process exiting
    Feb 8 08:58:27 	openvpn[6006]: OpenVPN 2.x-testing-ae1de75c0fa5 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [IPv6 payload 20100922-1] [MH] [PF_INET6] built on Feb 3 2011
    Feb 8 08:58:27 	openvpn[6006]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 8 08:58:27 	openvpn[6006]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
    Feb 8 08:58:27 	openvpn[6006]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Feb 8 08:58:27 	openvpn[6006]: TUN/TAP device /dev/tun1 opened
    Feb 8 08:58:27 	openvpn[6006]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Feb 8 08:58:27 	openvpn[6006]: /sbin/ifconfig ovpns1 192.168.240.1 192.168.240.2 mtu 1500 netmask 255.255.255.255 up
    Feb 8 08:58:27 	openvpn[6006]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
    Feb 8 08:58:27 	openvpn[10812]: UDPv4 link local (bound): [AF_INET]173.8.52.61:1194
    Feb 8 08:58:27 	openvpn[10812]: UDPv4 link remote: [undef]
    Feb 8 08:58:27 	openvpn[10812]: Initialization Sequence Completed
    Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 Re-using SSL/TLS context
    Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 LZO compression initialized
    Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
    Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 TLS Error: TLS object -> incoming plaintext read error
    Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 TLS Error: TLS handshake failed
    Feb 8 09:14:38 	openvpn[10812]: event_wait : Interrupted system call (code=4)
    Feb 8 09:14:38 	openvpn[10812]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
    Feb 8 09:14:38 	openvpn[10812]: SIGTERM[hard,] received, process exiting
    Feb 8 09:14:39 	openvpn[12199]: OpenVPN 2.x-testing-ae1de75c0fa5 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [IPv6 payload 20100922-1] [MH] [PF_INET6] built on Feb 3 2011
    Feb 8 09:14:39 	openvpn[12199]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 8 09:14:39 	openvpn[12199]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
    Feb 8 09:14:39 	openvpn[12199]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Feb 8 09:14:39 	openvpn[12199]: TUN/TAP device /dev/tun1 opened
    Feb 8 09:14:39 	openvpn[12199]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Feb 8 09:14:39 	openvpn[12199]: /sbin/ifconfig ovpns1 192.168.240.1 192.168.240.2 mtu 1500 netmask 255.255.255.255 up
    Feb 8 09:14:39 	openvpn[12199]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
    Feb 8 09:14:39 	openvpn[13385]: UDPv4 link local (bound): [AF_INET]173.8.52.61:1194
    Feb 8 09:14:39 	openvpn[13385]: UDPv4 link remote: [undef]
    Feb 8 09:14:39 	openvpn[13385]: Initialization Sequence Completed
    Feb 8 09:15:15 	openvpn[13385]: 5.6.7.8:29107 Re-using SSL/TLS context
    Feb 8 09:15:15 	openvpn[13385]: 5.6.7.8:29107 LZO compression initialized
    Feb 8 09:15:16 	openvpn[13385]: 5.6.7.8:29107 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
    Feb 8 09:15:16 	openvpn[13385]: 5.6.7.8:29107 TLS Error: TLS object -> incoming plaintext read error
    Feb 8 09:15:16 	openvpn[13385]: 5.6.7.8:29107 TLS Error: TLS handshake failed
    
    

    Also, I tried disabling TLS Authentication and received the same results.



  • Hi,

    i got exact same issue after update to snapshot built on Tue Feb 8 05:33:31 EST 2011.

    TLS Keys match.

    I tryed a new configuration via wizard and client export utility but always same error occurs.

    TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

    EDIT:

    Server option "client-cert-not-required" seems to be ignored. Error still there.

    EDIT2:

    i switched back to an older snapshot (built on Thu Jan 20 19:54:38 EST 2011) and it works fine for me.

    cya



  • hmm, yeah that error seemingly indicates it's not taking the client-cert-not-required on the server side for some reason. It hasn't been long since I've done a LDAP OpenVPN setup and it worked fine, I'll try it again as soon as I have a chance.



  • @cmb:

    hmm, yeah that error seemingly indicates it's not taking the client-cert-not-required on the server side for some reason. It hasn't been long since I've done a LDAP OpenVPN setup and it worked fine, I'll try it again as soon as I have a chance.

    Any progress on this (no rush from my standpoint)?    I can open a bug if you prefer so this issue doesn't get "lost".
    Thanks again.



  • this should be fixed in newer snapshots, believe it was OpenVPN version-related.



  • I can confirm the current snapshot is corrected and is functioning properly on the A64 build.


Log in to reply