[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Problems trying to switch over to certificate-based VPN...


  • Subject: Re: [Openvpn-users] Problems trying to switch over to certificate-based VPN...
  • From: "Erik Anderson" <erikba@xxxxxxxxxxxxxxxxx>
  • Date: Tue, 13 Apr 2004 09:44:06 -0700

The thing is that I'm already specifying a ca line.
 
I took the output of a 'openssl pkcs12' command and split it up into the necessary three files.  The ca should be the direct parent of the certificate that I am using.  I did just change the line endings from UNIX to Windows on one side, with no effect.
 
Client: OpenVPN 1.6_rc4 Win32-MinGW [SSL][LZO]
Server: OpenVPN 1.5-beta9 i586-pc-linux-gnu [SSL][LZO][MTU-DYNAMIC]
----- Original Message -----
From: Rob Fowler
Sent: Monday, April 12, 2004 10:32 PM
Subject: Re: [Openvpn-users] Problems trying to switch over to certificate-based VPN...

Erik, I have not tried to use the new version yet but I do know this error is from openssl. You need to somehow specify the
public certicate of the issueing authority.
I think that's the CA config parameter in openvpn:
..
ca sample-keys/tmp-ca.crt
 
Hope this helps.
 
 
----- Original Message -----
Sent: Tuesday, April 13, 2004 2:52 PM
Subject: [Openvpn-users] Problems trying to switch over to certificate-based VPN...

I am trying to reconfigure OpenVPN to use TLS encryption (have been using shared-secret for a while now), and have gotten to the point that I am receiving this error message.  I would appreciate any input as to where I should go from here...
 
This is using the most recent non-beta version of OpenVPN.
 
client side:
 
Mon Apr 12 21:48:30 2004 14: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 12 21:48:31 2004 15: VERIFY ERROR: depth=1, error=unable to get local issuer certificate: /OU=Security.Management/CN=OpenVPN.Access.CA/emailAddress=erikba@xxxxxxxxxxxxxxxxx/O=The.TeamWork.Group..Inc./C=US/ST=Washington/L=Bellingham
Mon Apr 12 21:48:31 2004 16: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Apr 12 21:48:31 2004 17: TLS Error: TLS object -> incoming plaintext read error
Mon Apr 12 21:48:31 2004 18: TLS Error: TLS handshake failed
Mon Apr 12 21:48:31 2004 19: TLS Error: Unroutable control packet received from 192.168.5.201:5010 (si=3 op=P_CONTROL_V1)
Mon Apr 12 21:48:31 2004 20: TLS Error: Unroutable control packet received from 192.168.5.201:5010 (si=3 op=P_CONTROL_V1)
Mon Apr 12 21:48:31 2004 21: TLS Error: Unroutable control packet received from 192.168.5.201:5010 (si=3 op=P_CONTROL_V1)
Mon Apr 12 21:48:31 2004 22: TLS: tls_pre_decrypt: first response to initial packet from 192.168.5.201:5010, sid=2a01c03e 1ba98a23
 
server side:
 
Mon Apr 12 21:15:00 2004 29: TLS Error: TLS key negotiation failed to occur within 60 seconds
Mon Apr 12 21:15:00 2004 30: TLS Error: TLS handshake failed