OpenVPN issue after 2.2.4 upgrade



  • As a heads-up: I had a working setup, upgraded from 2.2.3 to 2.2.4, and it seems the upgrade broke something  :(

    What I encountered:

    
    Aug 4 19:11:55	openvpn[53459]: n.n.n.n:37396 TLS Error: TLS handshake failed
    Aug 4 19:11:55	openvpn[53459]: n.n.n.n:37396 TLS Error: TLS object -> incoming plaintext read error
    Aug 4 19:11:55	openvpn[53459]: n.n.n.n:37396 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Aug 4 19:11:55	openvpn[53459]: n.n.n.n:37396 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
    Aug 4 19:10:53	openvpn[53459]: n.n.n.n:34134 TLS Error: TLS handshake failed
    Aug 4 19:10:53	openvpn[53459]: n.n.n.n:34134 TLS Error: TLS object -> incoming plaintext read error
    Aug 4 19:10:53	openvpn[53459]: n.n.n.n:34134 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Aug 4 19:10:53	openvpn[53459]: n.n.n.n:34134 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
    
    

    Didn't touch anything regarding setup…
    Quick search revealed this: https://redmine.pfsense.org/issues/4329
    But that didn't bring much to the party.

    Further testing (and some help from my good friend google) showed the issue to be on the CN of the server cert, it contained a space. Recreating the CA, server cert, and client cert solved it. But now I have to do so & hand out for all users  >:(
    Be warned, avoid spaces, even if it is year 2015 ::)

    --edit: grammar--


  • Rebel Alliance Developer Netgate

    Spaces in a CN have always been problematic, no matter the year. CN is meant to be something akin to a hostname or username in general.

    Though I don't recall any changes between 2.2.3 and 2.2.4 that would have changed how they were handled.



  • I had this issue too, even after creating new certificates etc…. the patch in this thread fixed it for me.

    Edit: or did it? ??? I mean, I'm not having any issues connecting anymore, but may have been a strange coincidence.


  • Rebel Alliance Global Moderator

    I have no idea what you think that patch did? Was your issue because you had spaces in the CN?  I just looked at that thread and don't see what he is talking about in 2.2.4 does not show what is shows

    [2.2.4-RELEASE][root@pfSense.local.lan]/root: php -v
    PHP 5.5.27 (cgi-fcgi) (built: Jul 13 2015 19:15:15)
    Copyright © 1997-2015 The PHP Group
    Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
        with Suhosin v0.9.37.1, Copyright (c) 2007-2014, by SektionEins GmbH

    [2.2.4-RELEASE][root@pfSense.local.lan]/root: /usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "test.test&depth=2&certdepth=1&certsubject=C=US,"; echo; echo $?
    OK
    0
    [2.2.4-RELEASE][root@pfSense.local.lan]/root:

    I sure didn't deploy any patches. Or do anything with php.



  • Yeah, not sure… I didn't get anything other than "OK \n 0", running that... but I couldn't connect the minute prior to (and a day or so) doing that change, then could straight afterwards.

    Edit: CN was "internal-ca"