search

kittoku / Open-SSTP-Client

Open SSTP Client for Android
MIT License
402 stars 104 forks source link

open sstp client does not work with SoftEther sstp configuration [ solved ] #68

Closed shakibamoshiri closed 2 years ago

shakibamoshiri commented 2 years ago

Issue

A SSTP configuration works on SoftEther client on Windows x86_64, but the same configuration did not work on this app

Versions

Open SSTP client version 1.5.8.1.

Error log

[2022-10-26 01:28:24.846] Establish VPN connection
[2022-10-26 01:28:24.883] OSC: ERR_UNEXPECTED
java.security.cert.CertificateException: com.android.org.conscrypt.OpenSSLX509CertificateFactory$ParsingException: com.android.org.conscrypt.OpenSSLX509CertificateFactory$ParsingException: java.lang.RuntimeException: error:0c0000be:ASN.1 encoding routines:OPENSSL_internal:WRONG_TAG
    at com.android.org.conscrypt.OpenSSLX509CertificateFactory.engineGenerateCertificate(OpenSSLX509CertificateFactory.java:284)
    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:366)
    at kittoku.osc.terminal.SSLTerminal.createTrustManagers(SSLTerminal.kt:60)
    at kittoku.osc.terminal.SSLTerminal.createSocket(SSLTerminal.kt:77)
    at kittoku.osc.terminal.SSLTerminal.access$createSocket(SSLTerminal.kt:26)
    at kittoku.osc.terminal.SSLTerminal$initializeSocket$2.invokeSuspend(SSLTerminal.kt:36)
    at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
    at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
    at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:571)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:678)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:665)
Caused by: com.android.org.conscrypt.OpenSSLX509CertificateFactory$ParsingException: com.android.org.conscrypt.OpenSSLX509CertificateFactory$ParsingException: java.lang.RuntimeException: error:0c0000be:ASN.1 encoding routines:OPENSSL_internal:WRONG_TAG
    at com.android.org.conscrypt.OpenSSLX509CertificateFactory$Parser.generateItem(OpenSSLX509CertificateFactory.java:121)
    at com.android.org.conscrypt.OpenSSLX509CertificateFactory.engineGenerateCertificate(OpenSSLX509CertificateFactory.java:282)
    ... 11 more
Caused by: com.android.org.conscrypt.OpenSSLX509CertificateFactory$ParsingException: java.lang.RuntimeException: error:0c0000be:ASN.1 encoding routines:OPENSSL_internal:WRONG_TAG
    at com.android.org.conscrypt.OpenSSLX509Certificate.fromX509DerInputStream(OpenSSLX509Certificate.java:103)
    at com.android.org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509DerInputStream(OpenSSLX509CertificateFactory.java:234)
    at com.android.org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509DerInputStream(OpenSSLX509CertificateFactory.java:224)
    at com.android.org.conscrypt.OpenSSLX509CertificateFactory$Parser.generateItem(OpenSSLX509CertificateFactory.java:112)
    ... 12 more
Caused by: java.lang.RuntimeException: error:0c0000be:ASN.1 encoding routines:OPENSSL_internal:WRONG_TAG
    at com.android.org.conscrypt.NativeCrypto.d2i_X509_bio(Native Method)
    at com.android.org.conscrypt.OpenSSLX509Certificate.fromX509DerInputStream(OpenSSLX509Certificate.java:97)
    ... 15 more

[2022-10-26 01:28:24.887] Terminate VPN connection

Cert check

I checked the certificate details using (it is a self-signed)

openssl s_client -connect docker.homeip.ir:443

for example 

SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384

And configured the app to use the certificate. but gave me the error posted above. Please let me know if you needed more info or logs.

Regards

Screenshot-20221026-024449-Open-SSTP-Client log_osc_20221026012824.txt

kittoku commented 2 years ago

It looks like SSL failed to parse your certificate. Please try changing the format or install the certificate directly to the decvice. If you put files which are not certificate in the same directory, don't do that.

By the way, if you succeed to have the device read the certificate, you may still fail to connect since it seems SoftEther stable version is not compatible with TLSv1.3.

shakibamoshiri commented 2 years ago

I could install the cert on my phone device, yet gave me this error SSL: ERR_VERIFICATION_FAILED

Here is what I did in SoftEther

  1. create a user with password and certificate authentication (in SoftEther Manger) and save user.cer , user.key
  2. load the user.cer to SoftEther client
  3. connecting successfully using username and password to the server

So I thought the same way (cert + user + pass) does work with Open STTP Client.

Question 1. If this is not the right way of using Open SSTP client, what is the right way? How can I connected to SoftEther server with this app. Is there any document / instruction? (I could not find practical one)

Question 2. There is a web site vpngate.net that provides free VPN servers , and I tested some SSTPs and worked , just using

So how does this work without importing any cert?
Does the cert has been installed on server side, right? and configuration is picked up automatically from the server by Open SSTP client?

kittoku commented 2 years ago

Make sure Verify Hostname option is unchecked when you want to connect to a server with a self-signed certificate.

This app NEVER supports authentication by client's certificate, but only authentication by password. This app only uses certificates to confirm that a server it begins to connect is the sever you really want to connect. And this kind of confirmation is not needed for VPN Gate since its certificate authority is already granted by device.

shakibamoshiri commented 2 years ago

Using LetEncrypt I issued a new cert for a domain name. installed the cert on the server helping form this answer on server-fault and I could successfully connect the server with no problem. Thanks