Server certificate verification

freetomfr · Feb 9, 2011, 10:46 AM

Hi everyone, I have a problem with my OpenVPN Connection. I used pfsense 2.0 BETA 5 and the GUI to export a package containing all a users need to connect.

It's works, the connection is done but I have a warning :

WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

I try to do what I found on the documentation by adding ns-cert-type server option to the config file but I have an SSL error with it :

Wed Feb 09 11:44:45 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Feb 09 11:44:45 2011 TLS Error: TLS object -> incoming plaintext read error
Wed Feb 09 11:44:45 2011 TLS Error: TLS handshake failed
Wed Feb 09 11:44:45 2011 Fatal TLS error (check_tls_errors_co), restarting
Wed Feb 09 11:44:45 2011 SIGUSR1[soft,tls-error] received, process restarting

What is the problem with the server certificate verification?

Thanks

Cry Havok · Feb 9, 2011, 12:00 PM

It failed ;)

Did you install the CA certificate on the clients? Did you ensure that the config file contains a line about it?

freetomfr · Feb 10, 2011, 1:17 PM

Here is the list of files that are in my config directory :

pfsense-TCP-443.ovpn
pfsense-TCP-443.p12
pfsense-TCP-443-ca.crt
pfsense-TCP-443-tls.key

And that is my config files

dev tun
persist-tun
persist-key
proto tcp-client
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote 82.XX.XX.XX 443
pkcs12 pfsense-TCP-443.p12
comp-lzo

Cry Havok · Feb 10, 2011, 2:24 PM

There should also be lines there about the CA certificate and the TLS key. Something like:

ca pfsense-TCP-443-ca.crt
tls-auth pfsense-TCP-443-tls.key 1

I can highly recommend reading the documentation.

freetomfr · Feb 11, 2011, 9:42 AM

Thanks for your answer. I read a lot of time the documentation but there is a lot of parameter and when I tried the one recommended nothing work anymore.

I tried this parameter that I found in the documentation to verify the server Certificat:

remote-cert-tls server

But I have a SSL error with it.

Fri Feb 11 10:41:47 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Feb 11 10:41:47 2011 TLS Error: TLS object -> incoming plaintext read error
Fri Feb 11 10:41:47 2011 TLS Error: TLS handshake failed
Fri Feb 11 10:41:47 2011 Fatal TLS error (check_tls_errors_co), restarting
Fri Feb 11 10:41:47 2011 SIGUSR1[soft,tls-error] received, process restarting

Cry Havok · Feb 11, 2011, 8:02 PM

@Cry:

There should also be lines there about the CA certificate and the TLS key. Something like:

ca pfsense-TCP-443-ca.crt
tls-auth pfsense-TCP-443-tls.key 1

Have you added those lines to your client configuration file and restart the client yet? Until you do at least the first you will continue to see those errors. The second is required if you've configured the server to use TLS.

spiritbreaker · Mar 1, 2011, 6:53 PM

EDIT:

removed

cya

Cry Havok · Feb 15, 2011, 5:47 PM

@spiritbreaker, your error messages is not the same as the one being discussed in this thread, please don't confuse matters.