Z
Z
Ziptar2015-10-12 00:44:43
openvpn
Ziptar, 2015-10-12 00:44:43

OVPN TLS Error: TLS key negotiation failed. - after verifying the server certificate. Why?!?!?

OVPN server - mikrotik, OVPN client - venda
server config:

 > interface ovpn-server server print 
                     enabled: yes
                        port: 1194
                        mode: ip
                     netmask: 24
                 mac-address: FE:9F:0B:F7:CB:D9
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: PPP_Server
                 certificate: cert4
  require-client-certificate: yes
                        auth: sha1
                      cipher: blowfish128

client config:
client
dev tun
proto tcp
remote ovpn.ml.ziptar.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
verb 4
--connect-retry 60

Sun Oct 11 23:39:31 2015 us=376834 Current Parameter Settings:
список текущих параметров вырезан - больше 10000 букаф тостер ниасилил
Sun Oct 11 23:39:32 2015 us=17340 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Sun Oct 11 23:39:32 2015 us=19342 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Enter Private Key Password:
Sun Oct 11 23:39:38 2015 us=627780 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Oct 11 23:39:38 2015 us=633773 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:3 ]
Sun Oct 11 23:39:38 2015 us=633773 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Oct 11 23:39:38 2015 us=637778 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sun Oct 11 23:39:38 2015 us=637778 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Oct 11 23:39:38 2015 us=638782 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Oct 11 23:39:38 2015 us=655792 Local Options hash (VER=V4): 'db02a8f8'
Sun Oct 11 23:39:38 2015 us=656788 Expected Remote Options hash (VER=V4): '7e068940'
Sun Oct 11 23:39:38 2015 us=656788 Attempting to establish TCP connection with [AF_INET]95.31.27.23:1194 [nonblock]
Sun Oct 11 23:39:39 2015 us=663222 TCP connection established with [AF_INET]95.31.27.23:1194
Sun Oct 11 23:39:39 2015 us=663222 TCPv4_CLIENT link local: [undef]
Sun Oct 11 23:39:39 2015 us=663222 TCPv4_CLIENT link remote: [AF_INET]95.31.27.23:1194
Sun Oct 11 23:39:39 2015 us=666219 TLS: Initial packet from [AF_INET]95.31.27.23:1194, sid=0fc9eb4e dea8cee0
Sun Oct 11 23:39:39 2015 us=751116 VERIFY OK: depth=1, C=RU, O=Ziptar.Net, OU=Ziptar.Net Main Lair CA, CN=Ziptar.Net Main Lair Certification Authority
Sun Oct 11 23:39:39 2015 us=752117 Validating certificate key usage
Sun Oct 11 23:39:39 2015 us=752117 ++ Certificate has key usage  00a0, expects 00a0
Sun Oct 11 23:39:39 2015 us=755119 VERIFY KU OK
Sun Oct 11 23:39:39 2015 us=757282 Validating certificate extended key usage
Sun Oct 11 23:39:39 2015 us=759447 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Oct 11 23:39:39 2015 us=762598 VERIFY EKU OK
Sun Oct 11 23:39:39 2015 us=764603 VERIFY OK: depth=0, C=RU, O=Ziptar.Net, OU=Ziptar.Net Main Lair, CN=Ziptar.Net Main Lair OVPN Server Certificate
Sun Oct 11 23:40:40 2015 us=242140 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Oct 11 23:40:40 2015 us=242140 TLS Error: TLS handshake failed
Sun Oct 11 23:40:40 2015 us=243132 Fatal TLS error (check_tls_errors_co), restarting
Sun Oct 11 23:40:40 2015 us=247138 TCP/UDP: Closing socket
Sun Oct 11 23:40:40 2015 us=250137 SIGUSR1[soft,tls-error] received, process restarting
Sun Oct 11 23:40:40 2015 us=252138 Restart pause, 60 second(s)

on the mikrotik-server, the client-ip(external):1194->server-ip:1194 connection is in the established state
on the router behind which the vend is located - similarly,
netstat on vend seems to be:
TCP 172.16.12.13:51360 95-31-27-23 :1194 ESTABLISHED
I just don’t understand why packets are exchanged through hyphens
in the server log, and ends with the line:
:using encoding BF-128-CBC/SHA1
Key usage of the
KU server certificate 0xa0: Digital Signature, Key Encipherment
EKU TLS Web Server Authentication
, that is, exactly what the ovpn of the KU Digital
client certificate wants
Signature, Key Encipherment, Data Encipherment
EKU TLS Web Client Authentication
so what does he want from me? :(

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Z
Ziptar, 2015-10-12
@Ziptar

Clearly understood.
1) The CN of the server certificate must be equal to its fqdn, or ip,
but that's okay.
2) I don't know how in the "native" ovpn, but in the Mikrotik implementation of the ovpn server there are 2 connection options:
a. login-password
b. certificate AND login-password
option with certificate only is missing.
UPD: crl host is hard-coded by ip-address, only winbox doesn't say a word about it, and if fqdn is specified, it quietly creates a self-signed CA without crl. ><
deleted (because I'm a bast and all lies): And okay, I would only be glad, but in ROS a client certificate cannot be tied to a user + ROS' PKI does not support automatic creation of crl, not to mention the absence of a place to store this crl for the mass user.
Which makes the support of client certificates, so to speak, less useful than we would like, and the meaning of client certificates for each user generally reduces to zero.

This config is for home use anyway, let's see how it will be in a working environment with WinSrv PKI and radius authentication; but... later.

S
Stanislav Makarov, 2015-10-12
@Nipheris

I advise you to check whether the client certificates are generated correctly, whether the same ca.cert is used at both ends. Try to regenerate everything if that's not too hard.

H
Hardyn, 2016-08-31
@Hardyn

set chiper encoding - Sha 256

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question