> On Apr 17, 2015, at 07:49, Jan Just Keijser <janj...@nikhef.nl> wrote:
> I don't know - it's not really a TLS cipher that you want, but a TLSv1
> connection - the nomenclature is overloaded, however.
> It does look like a bug in your local openssl lib, as openvpn 2.3.6 works
> fine with TLSv1 on CentOS 5, which still uses openssl 0.9.8 . You can also
> build and link openvpn statically against an OpenSSL (or even PolarSSL)
> library so that you would not have a second openssl.so file lying around.
(*le sigh*) Okay. So, I’m sorry to say, that I think I’ve been misstating
things this whole time. The openssl on my system is in fact 0.9.9. But, I
failed to notice that the pkgsrc version of openvpn that I was using had a
prerequisite for OpenSSL 1.0.1c or later, and I apparently already had such a
beast on my system. I dislike having two versions of OpenSSL installed sop
much that I failed to notice I already did.
Okay. So, back to reality. I took a more full assessment of things,
uninstalled the older OpenSSL 1.0.1-whatever, the things that had required it,
and started building the most recent versions of openvpn (2.3.6) and OpenSSL
(1.0.2a) that pkgsrc has available.
At this point, I now at least know what OpenSSL and crypto libraries my
openvpn binary is linked against and can speak more correctly about them.
So to earlier email about using the openssl s_server and s_client, this time
with the relevant server-side binary. It looks just fine. I can establish the
connection without error. I can’t be sure what openssl Tunnelblick is compiled
with, as it appears to be statically linked against it. The openssl s_client
that worked for me just now is 0.9.8zc, but Tunnelblick could be using
anything.
But, the openvpn failure has now changed! I consider this a success!
Apr 17 11:17:43 bifr?st openvpn[17201]: TCP connection established with
[AF_INET]A.B.C.D:52232
Apr 17 11:17:44 bifr?st openvpn[17201]: A.B.C.D:52232 TLS: Initial packet from
[AF_INET]A.B.C.D:52232, sid=34eff6fb 9e28a600
Apr 17 11:17:45 bifr?st openvpn[17201]: A.B.C.D:52232 VERIFY ERROR: depth=0,
error=unsupported certificate purpose: C=US, ST=Maryland, O=Distal Thoughts,
CN=client.outside.net
Apr 17 11:17:45 bifr?st openvpn[17201]: A.B.C.D:52232 TLS_ERROR: BIO read
tls_read_plaintext error: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
So, my client certificate must be wrong somehow. I generated it by following
the commands within the easy-rss scripts, basically. The following commands
were used, with an openssl.cnf I’ve had around for a long time and been using
for other things. My CA cert pre-existed as well.
% openssl req -days 730 -nodes -new -newkey rsa:2048 -keyout client.key -out
client.csr -config $PWD/openssl.cnf
% openssl ca -days 731 -out client.crt -in client.csr -md sha1 -config
openssl.cnf
Given the error, however, I’m guessing there must be something I’m missing to
define the “certificate purpose” of my certificate?
- Chris
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
