search

flamusdiu / python-pia

Commandline tool to auto configure PIA services
42 stars 9 forks source link

Protocols and Ports Not working #17

Closed flamusdiu closed 7 years ago

flamusdiu commented 8 years ago

Seems, I have hit a road block and I can find that only the following Protocols/Ports work:

default => TCP/502, UDP/1198 strong encryption configs => TCP/501, UDP/1197

Any other combination gives the error: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed => Points to a mismatched certification on that port.

One user on the AUR page, posted this log as well:

$ east
Tue Sep 27 17:42:57 2016 OpenVPN 2.3.12 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 24 2016
Tue Sep 27 17:42:57 2016 library versions: OpenSSL 1.0.2i 22 Sep 2016, LZO 2.09
Tue Sep 27 17:42:57 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Sep 27 17:42:57 2016 Attempting to establish TCP connection with [AF_INET]209.222.18.35:80 [nonblock]
Tue Sep 27 17:42:58 2016 TCP connection established with [AF_INET]209.222.18.35:80
Tue Sep 27 17:42:58 2016 TCPv4_CLIENT link local: [undef]
Tue Sep 27 17:42:58 2016 TCPv4_CLIENT link remote: [AF_INET]209.222.18.35:80
Tue Sep 27 17:42:58 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Tue Sep 27 17:42:58 2016 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue Sep 27 17:42:58 2016 TLS_ERROR: BIO read tls_read_plaintext error
Tue Sep 27 17:42:58 2016 TLS Error: TLS object -> incoming plaintext read error
Tue Sep 27 17:42:58 2016 TLS Error: TLS handshake failed
Tue Sep 27 17:42:58 2016 Fatal TLS error (check_tls_errors_co), restarting
Tue Sep 27 17:42:58 2016 SIGUSR1[soft,tls-error] received, process restarting
Tue Sep 27 17:43:03 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Sep 27 17:43:03 2016 Attempting to establish TCP connection with [AF_INET]108.61.68.154:80 [nonblock]
Tue Sep 27 17:43:04 2016 TCP connection established with [AF_INET]108.61.68.154:80
Tue Sep 27 17:43:04 2016 TCPv4_CLIENT link local: [undef]
Tue Sep 27 17:43:04 2016 TCPv4_CLIENT link remote: [AF_INET]108.61.68.154:80
Tue Sep 27 17:43:05 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Tue Sep 27 17:43:05 2016 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue Sep 27 17:43:05 2016 TLS_ERROR: BIO read tls_read_plaintext error
Tue Sep 27 17:43:05 2016 TLS Error: TLS object -> incoming plaintext read error
Tue Sep 27 17:43:05 2016 TLS Error: TLS handshake failed
Tue Sep 27 17:43:05 2016 Fatal TLS error (check_tls_errors_co), restarting
Tue Sep 27 17:43:05 2016 SIGUSR1[soft,tls-error] received, process restarting

Until I can figure something out, all other ports will have to be removed.

flamusdiu commented 8 years ago

So, information from the PIA Form (https://www.privateinternetaccess.com/forum/discussion/comment/43689#Comment_43689) points me to this web page: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/225274288-Which-encryption-auth-settings-should-I-use-for-ports-on-your-gateways-

Apparently, there is a 3rd certification. I'll have to get that setup.

flamusdiu commented 7 years ago

Just pushed update on dev branch to fix this issue.