-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
turns out that this happens when combining --tls-crypt-v2 keys with peer-fingerprint mode. Maybe it has nothing to do with with peer-fingerprint mode or --reneg-sec either. Client logs: Without --tls-crypt-v2 key (No --tls-* key at all) 2021-05-19 20:35:45 us=25803 TLS: Initial packet from [AF_INET]10.10.101.101:17332, sid=c49ce550 80599fa6 2021-05-19 20:35:45 us=32200 VERIFY OK: depth=0, CN=s1 2021-05-19 20:35:45 us=32810 VERIFY OK: depth=0, CN=s1 2021-05-19 20:35:45 us=42552 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558' With --tls-crypt-v2 key 2021-05-19 20:59:43 us=349608 TLS: Initial packet from [AF_INET]10.10.101.101:17332, sid=9166d66f fac63d82 2021-05-19 20:59:43 us=362301 VERIFY OK: depth=0, CN=wiscii 2021-05-19 20:59:43 us=363091 VERIFY OK: depth=0, CN=wiscii 2021-05-19 20:59:43 us=364036 VERIFY OK: depth=0, CN=wiscii 2021-05-19 20:59:43 us=422371 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558' Verified both setups are using peer-fingerprint mode, No CA. if there is interest I'll trac it .. maybe add it to https://community.openvpn.net/openvpn/ticket/1310 Thanks R ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, 16 May 2021 10:35, tincantech via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote: > Hi, > > in peer-fingerprint mode during --reneg-sec cycle, there appears to be > an uneven round of TLS-Verify taking place. > > On the server I see two rounds of verify, on the client I see three rounds. > The configs are more or less generic, the only exception being that the server > has a script configured for --tls-verify > > I am only curious, if this is meant to be the case ? > > Logs at verb 4: > > - Server > > 2021-05-16 10:05:52 us=351436 arch/10.10.201.226:36798 TLS: soft reset > sec=3517/3517 bytes=4666/-1 pkts=118/0 > > Ignoring unknown option: CN > <EXOK> * EasyTLS-verify ==> Recognised Client cert serial > > > 2021-05-16 10:05:52 us=381536 arch/10.10.201.226:36798 VERIFY SCRIPT OK: > depth=0, CN=arch > 2021-05-16 10:05:52 us=381629 arch/10.10.201.226:36798 VERIFY OK: depth=0, > CN=arch > > Ignoring unknown option: CN > <EXOK> * EasyTLS-verify ==> Recognised Client cert serial > 2021-05-16 10:05:52 us=388179 arch/10.10.201.226:36798 VERIFY SCRIPT OK: > depth=0, CN=arch > 2021-05-16 10:05:52 us=388260 arch/10.10.201.226:36798 VERIFY OK: depth=0, > CN=arch > 2021-05-16 10:05:52 us=388972 arch/10.10.201.226:36798 peer info: > IV_VER=2.6_git > > - Client > > 2021-05-16 10:05:52 us=286687 VERIFY OK: depth=0, CN=wiscii > 2021-05-16 10:05:52 us=290195 VERIFY OK: depth=0, CN=wiscii > 2021-05-16 10:05:52 us=291238 VERIFY OK: depth=0, CN=wiscii > 2021-05-16 10:05:52 us=312385 WARNING: 'link-mtu' is used inconsistently, > local='link-mtu 1557', remote='link-mtu 1558' > > Thanks > R > -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJgpXMfACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0j6AgAsw+lNqsD5a+5Nbym2Vxj94ImQrEHzXFjfjquGKpaKktyE7XF CHsYvZ1dGS6SP5tcfzKbJnGZrJv24YnUwCwFjJhcoQA4F1J1OA3g8AuRcFnL 8ld/B8484hTulYwmOqKgkVKQCifsmEO21KBZfgeSPadhteIDTdg8jLLDn7BG Sf0I+LJKRFVE6fHVzpf+CfRvvo/UQ0GS77BTd7ulenxOSdvmiwCl9QfQpJM6 BRrMeckwlnswY8SoK2mVmLzpO670b/+bIJtkIYG8JNKOm2B0cW4PrAnBt+IS HRa30893QEd/wQ97zClnfJrJgBBugSClZSCFE6uP5fyem0mbtpTlFA== =qAaX -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
