Server certificate verification



  • Hi everyone, I have a problem with my OpenVPN Connection. I used pfsense 2.0 BETA 5 and the GUI to export a package containing all a users need to connect.

    It's works, the connection is done but I have a warning :

    WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

    I try to do what I found on the documentation by adding ns-cert-type server option to the config file but I have an SSL error with it :

    Wed Feb 09 11:44:45 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Wed Feb 09 11:44:45 2011 TLS Error: TLS object -> incoming plaintext read error
    Wed Feb 09 11:44:45 2011 TLS Error: TLS handshake failed
    Wed Feb 09 11:44:45 2011 Fatal TLS error (check_tls_errors_co), restarting
    Wed Feb 09 11:44:45 2011 SIGUSR1[soft,tls-error] received, process restarting

    What is the problem with the server certificate verification?

    Thanks



  • It failed ;)

    Did you install the CA certificate on the clients? Did you ensure that the config file contains a line about it?



  • Here is the list of files that are in my config directory :

    pfsense-TCP-443.ovpn
    pfsense-TCP-443.p12
    pfsense-TCP-443-ca.crt
    pfsense-TCP-443-tls.key

    And that is my config files

    dev tun
    persist-tun
    persist-key
    proto tcp-client
    cipher AES-128-CBC
    tls-client
    client
    resolv-retry infinite
    remote 82.XX.XX.XX 443
    pkcs12 pfsense-TCP-443.p12
    comp-lzo
    


  • There should also be lines there about the CA certificate and the TLS key. Something like:

    ca pfsense-TCP-443-ca.crt
    tls-auth pfsense-TCP-443-tls.key 1

    I can highly recommend reading the documentation.



  • Thanks for your answer. I read a lot of time the documentation but there is a lot of parameter and when I tried the one recommended nothing work anymore.

    I tried this parameter that I found in the documentation to verify the server Certificat:

    remote-cert-tls server

    But I have a SSL error with it.

    Fri Feb 11 10:41:47 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Fri Feb 11 10:41:47 2011 TLS Error: TLS object -> incoming plaintext read error
    Fri Feb 11 10:41:47 2011 TLS Error: TLS handshake failed
    Fri Feb 11 10:41:47 2011 Fatal TLS error (check_tls_errors_co), restarting
    Fri Feb 11 10:41:47 2011 SIGUSR1[soft,tls-error] received, process restarting
    


  • @Cry:

    There should also be lines there about the CA certificate and the TLS key. Something like:

    ca pfsense-TCP-443-ca.crt
    tls-auth pfsense-TCP-443-tls.key 1

    Have you added those lines to your client configuration file and restart the client yet? Until you do at least the first you will continue to see those errors. The second is required if you've configured the server to use TLS.



  • EDIT:

    removed

    cya



  • @spiritbreaker, your error messages is not the same as the one being discussed in this thread, please don't confuse matters.


Log in to reply