by
svist » Mon Aug 17, 2015 10:01 am
svist wrote:Anyone migrated the config to NetworkManager? (Fedora 21 here)
I thought I copied all settings there, but it won't connect -- so I must be missing something :\
Okay, I've figured out my issue. It looks like the server-side certificate is not marked as "Server".
The option is a checkbox/dropdown combo that says "Verify peer (server) certificate usage signature" and "Remote peer certificate TLS type: Server/Client"
I had enabled the option and chosen Server
/var/log/messages didn't explicitly say anything, just
Code: Select all
Aug 17 09:52:33 mypc nm-openvpn[22027]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Aug 17 09:52:33 mypc nm-openvpn[22027]: TLS Error: TLS object -> incoming plaintext read error
Aug 17 09:52:33 mypc nm-openvpn[22027]: TLS Error: TLS handshake failed
Aug 17 09:52:33 mypc nm-openvpn[22027]: SIGUSR1[soft,tls-error] received, process restarting
to see the error, I had to run
Code: Select all
# /usr/libexec/nm-openvpn-service --debug
...
Mon Aug 17 09:55:18 2015 us=469940 BIO write tls_write_ciphertext 100 bytes
Mon Aug 17 09:55:18 2015 us=469946 Incoming Ciphertext -> TLS
Mon Aug 17 09:55:18 2015 us=470122 VERIFY OK: depth=1, CN=OpenVPN CA
Mon Aug 17 09:55:18 2015 us=470267 Certificate does not have key usage extension
Mon Aug 17 09:55:18 2015 us=470276 VERIFY KU ERROR
Mon Aug 17 09:55:18 2015 us=470290 SSL alert (write): fatal: certificate unknown
Mon Aug 17 09:55:18 2015 us=470308 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x55db648b1bf0, ptr=(nil), ad=0x55db648b1c50, idx=0, argl=0, argp=0x7fe31a0788e3
Mon Aug 17 09:55:18 2015 us=470329 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Aug 17 09:55:18 2015 us=470337 TLS Error: TLS object -> incoming plaintext read error
Mon Aug 17 09:55:18 2015 us=470344 TLS Error: TLS handshake failed
Here's my currently-working NetworkManager-exported config:
Code: Select all
client
remote beta.vpn.sonic.net
ca /home/user/.cert/sonic.net-ca.crt
cert /home/user/.cert/sonic.net-svist-cert.crt
key /home/user/.cert/sonic.net-svist-key.key
auth-user-pass
reneg-sec 604800
cipher AES-128-CBC
comp-lzo yes
dev tun
proto udp
tls-auth /home/user/.cert/sonic.net-tls_key.key 1
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user openvpn
group openvpn
and, as expected, all 4 files were in the imported file (see message right above this one)