Page 1 of 1

Using XCA Created Certs/Keys Causes TLS Handshake Error

Posted: Sun Mar 19, 2017 10:05 pm
by jgelinas3838
I'm using XCA with ssl version 1.02d to create my certificates and keys.

I generate my keys using the PEM (private pem) format.
I generate my certs using the PEM(*.crt) format.
I'm using the xca option of No BMP string, only printable and T61 as the easy rsa seems to do.
I export my keys for the server and it starts fine.
I export my keys for the client and get the follow tls errors on the client:

Sun Mar 19 17:45:36 2017 TLS: Initial packet from [AF_INET], sid=bedb1bf5 b140f801
Sun Mar 19 17:45:36 2017 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=US, ST=NH, L=Manchester,,, Server Certificate,
Sun Mar 19 17:45:36 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Sun Mar 19 17:45:36 2017 TLS_ERROR: BIO read tls_read_plaintext error
Sun Mar 19 17:45:36 2017 TLS Error: TLS object -> incoming plaintext read error
Sun Mar 19 17:45:36 2017 TLS Error: TLS handshake failed
Sun Mar 19 17:45:36 2017 SIGUSR1[soft,tls-error] received, process restarting
Sun Mar 19 17:45:36 2017 MANAGEMENT: >STATE:1489959936,RECONNECTING,tls-error,,,,,
Sun Mar 19 17:45:36 2017 Restart pause, 5 second(s)
Sun Mar 19 17:45:41 2017 WARNING: No server certificate verification method has been enabled. See for more info.

I've list my server and client config files below.
When I create my certs using easy-rsa, everything works perfectly, but, again, I'd rather not use easy-rsa as I don't know what is going on under the covers there.

Server config file is as such:

dev tun
proto udp4
port 1194
topology subnet
stale-routes-check 240
connect-retry-max 5

syslog OpenVPN
log c:\\openvpn\\log\\OpenVPNLog
status c:\\openvpn\\log\\openvpn-status.log
verb 5

max-clients 10


;ca c:\\openvpn\\easy-rsa\\keys\\ca.crt
;cert c:\\openvpn\\easy-rsa\\keys\\server.crt
;key c:\\openvpn\\easy-rsa\\keys\\server.key # This file should be kept secret

ca c:\\openvpn\\Certs\\Open_vpn_signing_CA.crt
cert c:\\openvpn\\certs\\Open_vpn_server_certificate.crt
key c:\\openvpn\\certs\\openvpnserverkey.pem # This file should be kept secret

dh c:\\OpenVPN\\easy-rsa\\keys\\dh1024.pem

# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
# Generate with:
# openvpn --genkey --secret ta.key
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth c:\\openvpn\\ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

Client config file is as such:
proto udp4
port 1194

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp4


# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca c:\\openvpn\\ca.crt
;cert c:\\openvpn\\client1.crt
;key c:\\openvpn\\client1.key

ca c:\\openvpn\\certs\\open_vpn_signing_ca.crt
cert c:\\openvpn\\certs\\open_vpn_client_certificate.crt
key c:\\openvpn\\certs\\Openvpnclientkey.pem

dh c:\\openvpn\\dh1024.pem

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
;remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth c:\\openvpn\\ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20