OpenVPN - TLS incoming plaintext read error?

victorhooi · Aug 4, 2012, 8:42 AM

Hi,

I have a pfSense 2.1 (Beta0) install, and I'm trying to connect via OpenVPN.

My client is Tunnelblick 3.3beta16 (build 3070 - OpenVPN 2.3-alpha1), running on OSX.

From pfSense, I generated a Configuration archive, renamed it to add .tblk to the folder name, then imported into TunnelBlick.

However, it seems to stall at the Authorizing stage.

In the OpenVPN logs, I can see:

Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 Re-using SSL/TLS context
Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 LZO compression initialized
Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=AU/ST=New_South_Wales/L=Sydney/O=We_Love_Travel/emailAddress=victorhooi@yahoo.com/CN=campervans
Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 TLS Error: TLS object -> incoming plaintext read error
Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 TLS Error: TLS handshake failed

Any ideas?

Cheers,
Victor

jimp · Aug 8, 2012, 4:55 PM

Inside that log message is shows:

Aug 4 18:42:27 openvpn[6629]: 123.243.8.55:1194 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=AU/ST=New_South_Wales/L=Sydney/O=We_Love_Travel/emailAddress=victorhooi@yahoo.com/CN=campervans

(emphasis mine)

Which generally means you made the wrong sort of certificate for what you're trying to do. If that log is on the client side, the certificate on the server may not actually be a "server certificate" and if that log is on the server side, the client cert may not be a "user certificate".

As it's dangerous to mix and match the certificate purposes (you don't want to use a CA cert as a vpn client…) it tries to make it a little stricter there.

InVidTiv · Aug 23, 2012, 9:18 PM

Hello, I have been deploying openVpn in pfsense for a while, with no hickups.

Until this week, a severe modification in design of the network, crashed Pfsense all together. Decided to restart from scratch.
All well at first, squid, sarg reports, untill openVPN. Being a bit overconfident, I even created all the users for the vpn. Without testing it :( Was so confident…

And boom same TLS error as described above.

Ok fix for this, it takes a while.

erase every setting and server from the openvpn, erase any certificate created during previous atempts
Create a server certificate from the menu of the certificate.
run the wizard for the open vpn server. Choose that certificate for the server.
go into the OPENVPN server config page, remove tls auth and save.
go again into the openVPN server config page, and select tls auth this will create a new tls
only now create the certificate for the users.

I really don t know why, this solved the issue, I never ran into this before… ???

Hope this can help anyone... ;D

rajbps · Aug 24, 2012, 7:47 AM

I have followed these steps but still tls error :-(

Anyone any more ideas pls?

Cheers,

Raj

pkwong · Aug 28, 2012, 2:03 PM

When you set up the VPN configuration, make sure you're using the right certificate authority and client certificate in your config. Otherwise, delete the CA cert and client cert and redo those. It'll almost definitely solve your problem. Sounds like a problem with your cut and paste.

-Percy Kwong
http://swimminginthought.com