On 17/04/15 17:22, Chris Ross wrote:
>> On Apr 17, 2015, at 07:49, Jan Just Keijser <janj...@nikhef.nl> wrote:
>> I don't know - it's not really a TLS cipher that you want, but a TLSv1
>> connection - the nomenclature is overloaded, however.
>> It does look like a bug in your local openssl lib, as openvpn 2.3.6 works
>> fine with TLSv1 on CentOS 5, which still uses openssl 0.9.8 . You can also
>> build and link openvpn statically against an OpenSSL (or even PolarSSL)
>> library so that you would not have a second openssl.so file lying around.
> (*le sigh*) Okay. So, I’m sorry to say, that I think I’ve been
> misstating things this whole time. The openssl on my system is in fact
> 0.9.9. But, I failed to notice that the pkgsrc version of openvpn that I was
> using had a prerequisite for OpenSSL 1.0.1c or later, and I apparently
> already had such a beast on my system. I dislike having two versions of
> OpenSSL installed sop much that I failed to notice I already did.
>
> Okay. So, back to reality. I took a more full assessment of things,
> uninstalled the older OpenSSL 1.0.1-whatever, the things that had required
> it, and started building the most recent versions of openvpn (2.3.6) and
> OpenSSL (1.0.2a) that pkgsrc has available.
>
> At this point, I now at least know what OpenSSL and crypto libraries my
> openvpn binary is linked against and can speak more correctly about them.
>
> So to earlier email about using the openssl s_server and s_client, this
> time with the relevant server-side binary. It looks just fine. I can
> establish the connection without error. I can’t be sure what openssl
> Tunnelblick is compiled with, as it appears to be statically linked against
> it. The openssl s_client that worked for me just now is 0.9.8zc, but
> Tunnelblick could be using anything.
>
> But, the openvpn failure has now changed! I consider this a success!
>
> Apr 17 11:17:43 bifr?st openvpn[17201]: TCP connection established with
> [AF_INET]A.B.C.D:52232
> Apr 17 11:17:44 bifr?st openvpn[17201]: A.B.C.D:52232 TLS: Initial packet
> from [AF_INET]A.B.C.D:52232, sid=34eff6fb 9e28a600
> Apr 17 11:17:45 bifr?st openvpn[17201]: A.B.C.D:52232 VERIFY ERROR: depth=0,
> error=unsupported certificate purpose: C=US, ST=Maryland, O=Distal Thoughts,
> CN=client.outside.net
> Apr 17 11:17:45 bifr?st openvpn[17201]: A.B.C.D:52232 TLS_ERROR: BIO read
> tls_read_plaintext error: error:14089086:SSL
> routines:ssl3_get_client_certificate:certificate verify failed
>
> So, my client certificate must be wrong somehow. I generated it by
> following the commands within the easy-rss scripts, basically. The following
> commands were used, with an openssl.cnf I’ve had around for a long time and
> been using for other things. My CA cert pre-existed as well.
>
> % openssl req -days 730 -nodes -new -newkey rsa:2048 -keyout client.key -out
> client.csr -config $PWD/openssl.cnf
> % openssl ca -days 731 -out client.crt -in client.csr -md sha1 -config
> openssl.cnf
>
> Given the error, however, I’m guessing there must be something I’m missing
> to define the “certificate purpose” of my certificate?
>
this is indeed an entirely different error; I'd suggest to generate your
certificates using the easy-rsa scripts; most likely what you're missing
is the X509v3 purpose flag - you can verify this using
openssl x509 -text -noout -in client.crt
You should see something like
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
[...]
X509v3 Authority Key Identifier:
[...]
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
HTH,
JJK
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
