OpenVPN - TLS incoming plaintext read error?

  • Hi,

    I have a pfSense 2.1 (Beta0) install, and I'm trying to connect via OpenVPN.

    My client is Tunnelblick 3.3beta16 (build 3070 - OpenVPN 2.3-alpha1), running on OSX.

    From pfSense, I generated a Configuration archive, renamed it to add .tblk to the folder name, then imported into TunnelBlick.

    However, it seems to stall at the Authorizing stage.

    In the OpenVPN logs, I can see:

    Aug 4 18:42:27	openvpn[6629]: Re-using SSL/TLS context
    Aug 4 18:42:27	openvpn[6629]: LZO compression initialized
    Aug 4 18:42:27	openvpn[6629]: VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=AU/ST=New_South_Wales/L=Sydney/O=We_Love_Travel/
    Aug 4 18:42:27	openvpn[6629]: TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Aug 4 18:42:27	openvpn[6629]: TLS Error: TLS object -> incoming plaintext read error
    Aug 4 18:42:27	openvpn[6629]: TLS Error: TLS handshake failed

    Any ideas?


  • Rebel Alliance Developer Netgate

    Inside that log message is shows:

    Aug 4 18:42:27 openvpn[6629]: VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=AU/ST=New_South_Wales/L=Sydney/O=We_Love_Travel/

    (emphasis mine)

    Which generally means you made the wrong sort of certificate for what you're trying to do. If that log is on the client side, the certificate on the server may not actually be a "server certificate" and if that log is on the server side, the client cert may not be a "user certificate".

    As it's dangerous to mix and match the certificate purposes (you don't want to use a CA cert as a vpn client…) it tries to make it a little stricter there.

  • Hello, I have been deploying openVpn in pfsense for a while, with no hickups.

    Until this week, a severe modification in design of the network, crashed Pfsense all together. Decided to restart from scratch.
    All well at first, squid, sarg reports, untill openVPN. Being a bit overconfident, I even created all the users for the vpn. Without testing it  :(  Was so confident…

    And boom same TLS error as described above.

    Ok fix for this,  it takes a while.

    • erase every setting and server from the openvpn, erase any certificate created during previous atempts

    • Create a server certificate from the menu of the certificate.

    • run the wizard for the open vpn server. Choose that certificate for the server.

    • go into the OPENVPN server config page, remove tls auth and save.

    • go again into the openVPN server config page, and select tls auth this will create a new tls

    • only now create the certificate for the users.

    I really don t know why, this solved the issue, I never ran into this before… ???

    Hope this can help anyone... ;D

  • I have followed these steps but still tls error :-(

    Anyone any more ideas pls?



  • When you set up the VPN configuration, make sure you're using the right certificate authority and client certificate in your config.  Otherwise, delete the CA cert and client cert and redo those.  It'll almost definitely solve your problem.  Sounds like a problem with your cut and paste.

    -Percy Kwong

Log in to reply