TLS handshake error (pfsense 2.0)



  • Hi, I have set up remote access OpenVPN and it works fine, but suddenly today everyone is getting the following message.

    Wed May 25 11:14:48 2011 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
    Wed May 25 11:14:56 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed May 25 11:14:56 2011 Control Channel Authentication: using 'tls.key' as a OpenVPN static key file
    Wed May 25 11:14:56 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed May 25 11:14:56 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed May 25 11:14:56 2011 LZO compression initialized
    Wed May 25 11:14:56 2011 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Wed May 25 11:14:56 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Wed May 25 11:14:56 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed May 25 11:14:56 2011 Local Options hash (VER=V4): '504e774e'
    Wed May 25 11:14:56 2011 Expected Remote Options hash (VER=V4): '14168603'
    Wed May 25 11:14:56 2011 UDPv4 link local: [undef]
    Wed May 25 11:14:56 2011 UDPv4 link remote: xx.xx.xx.xx:1194
    Wed May 25 11:14:56 2011 TLS: Initial packet from xx.xx.xx.xx:1194, sid=990a296d 00a03198
    Wed May 25 11:14:56 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed May 25 11:14:57 2011 VERIFY OK: depth=1, /C=UK/ST=Hackney/L=London/O=XXXXX/emailAddress=info@XXXXX.org.uk/CN=internal-ca
    Wed May 25 11:14:57 2011 VERIFY nsCertType ERROR: /C=UK/ST=Hackney/L=London/O=XXXXX/emailAddress=info@XXXXX.uk/CN=internal-ca, require nsCertType=SERVER
    Wed May 25 11:14:57 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Wed May 25 11:14:57 2011 TLS Error: TLS object -> incoming plaintext read error
    Wed May 25 11:14:57 2011 TLS Error: TLS handshake failed
    Wed May 25 11:14:57 2011 TCP/UDP: Closing socket
    Wed May 25 11:14:57 2011 SIGUSR1[soft,tls-error] received, process restarting
    
    

    I don't understand why this is happening, TLS is not enabled on the server and the client config is as follows:

    client
    dev tun
    proto udp
    remote XX.XX.XX.XX 1194
    ping 10
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca Internal-CA.crt
    cert username1.crt
    key username1.key
    ns-cert-type server
    comp-lzo
    pull
    verb 3
    auth-user-pass
    
    

    I've tried redownloading the CA cert and the user's key and user's cert, but it still says same thing.

    Here's the server config:

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local XX.XX.XX.XX
    tls-server
    server 192.168.200.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 20
    push "route 10.0.0.0 255.0.0.0"
    push "dhcp-option DOMAIN XXXXXX.org.uk"
    push "dhcp-option DNS 10.2.1.2"
    push "dhcp-option DNS 10.2.1.3"
    push "dhcp-option WINS 10.2.1.2"
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.1024
    comp-lzo
    persist-remote-ip
    float
    
    

  • Rebel Alliance Developer Netgate

    Take this line out of the client:

    ns-cert-type server
    

    See if that works.



  • Aziz or anyone that has this issue.  I have the same issue at times.  Did Jimp suggestion work?

    Jimp, what is the file and path to configuration file to remove "ns-cert-type server" ?


  • Rebel Alliance Developer Netgate

    @probie:

    Jimp, what is the file and path to configuration file to remove "ns-cert-type server" ?

    That depends on the OS of the client. If it's windows, just right click the running client icon, and choose 'edit config'.



  • Oh sorry.  I running PFSense 2rc3 at both end.  One end is server and the other is client and using TLS authenication.  I noticed Azis is not.  Would I still need to remove that one statement?



  • Jimp, I saw a few posting where members that have this issue switched protocol from UDP to TCP to resolve the problem.  Is their any disadvantages to this?  Will their be any extra overhead and performance loss by doing this?


  • Rebel Alliance Developer Netgate

    "ns-cert-type server" is not inserted by any pfSense code - if you have that in a client config, you must have put it in custom options.

    UDP works fine, TCP can cause performance degredation.



  • Thanks Jimp.  I tried it in TCP, definitely saw noticeable performance degradation.

    The settings that Aziz posted below for the client and server config, what file and where is it located on the pfsense that i can check on.



  • Jimp, I found config file on client pfsense and it does not have "ns-cert-type server".  Since it does not have ""ns-cert-type server" and I am still getting "TLS Error: TLS key negotiation failed to occurr within 60 seconds (check your network connectivity)" error at time, do you have any other suggestions?


  • Rebel Alliance Developer Netgate

    Then start a new thread because your problem is unrelated to this thread.


Locked