Server certificate verification
-
Hi everyone, I have a problem with my OpenVPN Connection. I used pfsense 2.0 BETA 5 and the GUI to export a package containing all a users need to connect.
It's works, the connection is done but I have a warning :
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
I try to do what I found on the documentation by adding ns-cert-type server option to the config file but I have an SSL error with it :
Wed Feb 09 11:44:45 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Feb 09 11:44:45 2011 TLS Error: TLS object -> incoming plaintext read error
Wed Feb 09 11:44:45 2011 TLS Error: TLS handshake failed
Wed Feb 09 11:44:45 2011 Fatal TLS error (check_tls_errors_co), restarting
Wed Feb 09 11:44:45 2011 SIGUSR1[soft,tls-error] received, process restartingWhat is the problem with the server certificate verification?
Thanks
-
It failed ;)
Did you install the CA certificate on the clients? Did you ensure that the config file contains a line about it?
-
Here is the list of files that are in my config directory :
pfsense-TCP-443.ovpn
pfsense-TCP-443.p12
pfsense-TCP-443-ca.crt
pfsense-TCP-443-tls.keyAnd that is my config files
dev tun persist-tun persist-key proto tcp-client cipher AES-128-CBC tls-client client resolv-retry infinite remote 82.XX.XX.XX 443 pkcs12 pfsense-TCP-443.p12 comp-lzo
-
There should also be lines there about the CA certificate and the TLS key. Something like:
ca pfsense-TCP-443-ca.crt
tls-auth pfsense-TCP-443-tls.key 1I can highly recommend reading the documentation.
-
Thanks for your answer. I read a lot of time the documentation but there is a lot of parameter and when I tried the one recommended nothing work anymore.
I tried this parameter that I found in the documentation to verify the server Certificat:
remote-cert-tls server
But I have a SSL error with it.
Fri Feb 11 10:41:47 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Fri Feb 11 10:41:47 2011 TLS Error: TLS object -> incoming plaintext read error Fri Feb 11 10:41:47 2011 TLS Error: TLS handshake failed Fri Feb 11 10:41:47 2011 Fatal TLS error (check_tls_errors_co), restarting Fri Feb 11 10:41:47 2011 SIGUSR1[soft,tls-error] received, process restarting
-
@Cry:
There should also be lines there about the CA certificate and the TLS key. Something like:
ca pfsense-TCP-443-ca.crt
tls-auth pfsense-TCP-443-tls.key 1Have you added those lines to your client configuration file and restart the client yet? Until you do at least the first you will continue to see those errors. The second is required if you've configured the server to use TLS.
-
EDIT:
removed
cya
-
@spiritbreaker, your error messages is not the same as the one being discussed in this thread, please don't confuse matters.