Closed moutonjr closed 4 years ago
What does your server say? Usually tls timeout means the server does not like something.
Also does switchting to openvpn3 core make a difference?
Hi Arne,
Here's what I got:
Sep 8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 TLS: Initial packet from [AF_INET]9.8.7.6:40832, sid=cba307ab 138f0125
Sep 8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 VERIFY ERROR: depth=2, error=path length constraint exceeded: C=FR, L=Paris, O=MySampleServer,
OU=MySampleServer, CN=MySampleServer MAIN CA, emailAddress=contact@MySampleServer.fr
Sep 8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify fa
iled
Sep 8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 TLS_ERROR: BIO read tls_read_plaintext error
Sep 8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 TLS Error: TLS object -> incoming plaintext read error
Sep 8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 TLS Error: TLS handshake failed
Sep 8 09:09:12 vpn openvpn[1296]: 9.8.7.6:40832 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 8 09:09:20 vpn openvpn[1296]: 9.8.7.6:48978 TLS: Initial packet from [AF_INET]9.8.7.6:48978, sid=f35e2e39 b53c26ac
Sep 8 09:09:20 vpn openvpn[1296]: 9.8.7.6:48978 VERIFY ERROR: depth=2, error=path length constraint exceeded: C=FR, L=Paris, O=MySampleServer,
OU=MySampleServer, CN=MySampleServer MAIN CA, emailAddress=contact@MySampleServer.fr
My server is :
openvpn --version
OpenVPN 2.4.7 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 23 2019
I don't know as the OpenVPN in production is not upgradeable.
Thenk you for your help!
This is something that has nothing to do with my app. SOmething in the way you configure your CA/OpenSSL on the server does not like the certificate (error=path length constraint exceeded:
).
Also you did not yet answer:
Does switching to openvpn3 core make a difference? (General settings in the app)
Tested with the OpenVPNv3 without success... :(
The main issue here is not about the setup, insofar as the imported configuration already works with official app. There is therefore a bug in the process.
A significant difference lies in the fact that the original imported .ovpn configuration only links the certificates, whereas they are embedded in the generated configuration in your app.
I'll check if your config works with official app.
acknowledged: generated config works with official app.
Logs of server for my app and log of server for the official app would be nice.
Also log of official app and log of my app in both openvpn2 and openvpn3.
I know that is a lot but OpenVPN3 core is the same code as the official app.
If you are unlucky the difference is the mbed TLS in the official app vs OpenSSL in my app.
Ok I gathered this.
Note hat using v2 or v3 doesn't change much on the server side.
All the best,
20190913_OpenVPNOfficial.log 20190913_SERVER_OpenVPN.log 20190913_OpenVPNICS_v2.log 20190913_OpenVPNICS_v3.log
v3 log and official app look almost identical.
So it must be something down to either the way the certificates are used by mbed/OpenSSL or how both apps generate the config. Without looking at the generated configuration files/being able to reproduce the problem I don't really now what is happening here. I would suggest you to try to find what really triggers the error message from OpenSSL on the server. It says chain depth but that should be same in both apps (4).
Hi @schwabe Shall we reopen ? No matter the verbosity of my server, it still crashed on depth failure. The cert chain is indeed the same for both instances, so it doesn't have something with server.
If I can give you more details on the PKI, the cert chain is foundable here : https://bit.ly/2PpVwEd
To reproduce, I guess that you simply need to build up a chain of 5 certs with 4096-bit key length.
If you suspect the SSL vendor, shall we place a bug in its github?
Regards,
-- moutonjr
It would be helpful if you can narrow it down, e.g. running a different server. E.g. a ubuntu openvpn binary (maybe in a linux jail/chroot? Or a short live aws/digital ocean instance for a few cents). What library is openvpn linked against? (Should report this on startup).
And see if that is something with the server side that goes away with different libraries.
To make issues more manageable, I would appreciate it if you fill out the following details as applicable:
General information
Description of the issue
Protocol
OpenVPN server set up and connection successful with standard .ovpn file generated and standard OpenVPN Connect app by OpenVPN team.
Imported .ovpn in the ics-openvpn app and imported certs & keys that are in separated files. Started the connection.
Expected results:
VPN tunnel starts successfully and I can reach private endpoints.
Got:
VPN fails to mount due to TLS connection.
Note: