[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] using tls-remote to verify server

  • Subject: Re: [Openvpn-users] using tls-remote to verify server
  • From: Erich Titl <erich.titl@xxxxxxxx>
  • Date: Tue, 05 Apr 2005 15:31:59 +0000
Erich Titl wrote:

Hi

I use the tls-remote directive on my clients.

The man pages say

*--tls-remote name*
Accept connections only from a host with X509 name or common name equal to *name

now here is the subbject line of the server certificate

Subject: C=CH, L=Schlieren, O=Ruf Telematik, CN=openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx

and this is the client.conf entry

tls-remote openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx

here is the logged error

Tue Apr 05 14:44:37 2005 VERIFY OK: depth=1, /C=CH/L=Schlieren/O=Ruf_Telematik/OU=ASP/CN=AspCA/emailAddress=ca@xxxxxxxxxx

Tue Apr 05 14:44:37 2005 VERIFY X509NAME ERROR: /C=CH/L=Schlieren/O=Ruf_Telematik/CN=openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx, must be openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx


It appears as if the CN is not recognized, it tries to use the complete subject for a comparison 

here is more info

if I enter the complete subject line in the config file

tls-remote "/C=CH/L=Schlieren/O=Ruf Telematik/CN=openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx"

the following error occurs

Tue Apr 05 15:27:51 2005 VERIFY OK: depth=1, /C=CH/L=Schlieren/O=Ruf_Telematik/OU=ASP/CN=AspCA/emailAddress=ca@xxxxxxxxxx
Tue Apr 05 15:27:51 2005 VERIFY X509NAME ERROR: /C=CH/L=Schlieren/O=Ruf_Telematik/CN=openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx, must be /C=CH/L=Schlieren/O=Ruf Telematik/CN=openvpn@xxxxxxxxxxxxxxx/emailAddress=openvpn@xxxxxxxxxxxxxxx
Tue Apr 05 15:27:51 2005 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Apr 05 15:27:51 2005 TLS Error: TLS object -> incoming plaintext read error
Tue Apr 05 15:27:51 2005 TLS Error: TLS handshake failed

cheers

Erich

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00054.html on line 221

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00054.html on line 221