Another another PolarSSL: ServerKeyExchange handshake failed error
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jan 23, 2017 5:47 pm
Another another PolarSSL: ServerKeyExchange handshake failed error
Hi All,
So I noticed that there have been other similar issues to this on the forums, however, I wasn't able to derive a solution for my situation from any of the previous posts. Hoping someone could take a look at my config and see if they notice anything odd. Basically my .ovpn profiles work on my Windows 7 desktop (just tried it for testing) but it won't work on any of my Android devices using OpenVPN Connect.
Here are the details and THANKS!:
Using my home router (Asus RT-N65U) as the VPN Server, I am able to issue an .ovpn profile file and import it into my Android and Windows devices. It doesn't allow my android devices to connect, using the OpenVPN Connect app. I believe the issue to be with the OpenVPN Connect app and/or its setting. I have tried to enable/disable multiple setting in the app, such as "VPN Protocol", "Compression", "Force AES-CBC ciphersuites", Minimum TLS version", DNS Fallback", etc.
I have tried it on multiple android devices. Same result on both.
Using the same profile, I am able to connect from a Windows 7 PC, from the same Source IP.
In the system logs on the Router/OpenVPN Server, we see:
Jan 20 08:24:26 openvpn[3287]: <SOURCEIP_redacted>:40235 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:40235, sid=788a686e 2d766483
Jan 20 08:24:29 openvpn[3287]: <SOURCEIP_redacted>:50580 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:50580, sid=1b22387e 7d855d41
Jan 20 08:24:31 openvpn[3287]: <SOURCEIP_redacted>:43392 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:43392, sid=1cb3343f 9496a1d6
Jan 20 08:24:33 openvpn[3287]: <SOURCEIP_redacted>:39421 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:39421, sid=638afb82 4c92f2c9
In the client OpenVPN logs, we see:
08:24:26:910 -- VERIFY OK: depth=0
cert. version :3
serial number :01
issuer name :C=TW, ST=TW, L=Taipei, O=Asus, CN=RT-N65U
emailAddress=me@myhost.mydomain
subject name :C=TW, ST=TW, L=Taipei, O=Asus, CN=RT-N65U
emailAddress=me@myhost.mydomain
issued on :2017-01-18 16:10:55
expires on :2027-01-18 16:10:55
signed using :RSA with SHA1
RSA key size :1024 bits
basic constraints :CA=false
cert. type :SSL Server
key usage :Digital Signature, Key Encipherment
ext key usage :TLS Web Server Authentication
08:24:26:979 -- Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the ServerKeyExchange handshake message failed
08:24:26:984 -- Client terminated, restarting in 2...
08:24:28:994 -- EVENT: RECONNECTING
08:24:29:000 -- EVENT: RESOLVE
08:24:29:005 -- Contacting <DESTINATION IP_redacted>:1194 via UDP
08:24:29:006 -- EVENT: WAIT
08:24:29:041 -- Connecting to [<DESTINATION IP_redacted>]:1194 (<DESTINATION IP_redacted>) via UDPv4
08:24:29:075 -- EVENT: CONNECTING
08:24:29:080 -- Tunnel Options:V4,dev-type tun,link-mtu 1158,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
08:24:29:080 -- Creds: Username/Password
08:24:29:080 -- Peer Info:
IV_GUI_VER=net.openvpn.connect.android 1.1.17-76
IV_VER=3.0.12
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
Here is the profile:
client
dev tun
proto udp
remote [IP REDACTED] 1194
float
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[REDACTED]
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
[REDACTED]
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
nobind
So I noticed that there have been other similar issues to this on the forums, however, I wasn't able to derive a solution for my situation from any of the previous posts. Hoping someone could take a look at my config and see if they notice anything odd. Basically my .ovpn profiles work on my Windows 7 desktop (just tried it for testing) but it won't work on any of my Android devices using OpenVPN Connect.
Here are the details and THANKS!:
Using my home router (Asus RT-N65U) as the VPN Server, I am able to issue an .ovpn profile file and import it into my Android and Windows devices. It doesn't allow my android devices to connect, using the OpenVPN Connect app. I believe the issue to be with the OpenVPN Connect app and/or its setting. I have tried to enable/disable multiple setting in the app, such as "VPN Protocol", "Compression", "Force AES-CBC ciphersuites", Minimum TLS version", DNS Fallback", etc.
I have tried it on multiple android devices. Same result on both.
Using the same profile, I am able to connect from a Windows 7 PC, from the same Source IP.
In the system logs on the Router/OpenVPN Server, we see:
Jan 20 08:24:26 openvpn[3287]: <SOURCEIP_redacted>:40235 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:40235, sid=788a686e 2d766483
Jan 20 08:24:29 openvpn[3287]: <SOURCEIP_redacted>:50580 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:50580, sid=1b22387e 7d855d41
Jan 20 08:24:31 openvpn[3287]: <SOURCEIP_redacted>:43392 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:43392, sid=1cb3343f 9496a1d6
Jan 20 08:24:33 openvpn[3287]: <SOURCEIP_redacted>:39421 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:39421, sid=638afb82 4c92f2c9
In the client OpenVPN logs, we see:
08:24:26:910 -- VERIFY OK: depth=0
cert. version :3
serial number :01
issuer name :C=TW, ST=TW, L=Taipei, O=Asus, CN=RT-N65U
emailAddress=me@myhost.mydomain
subject name :C=TW, ST=TW, L=Taipei, O=Asus, CN=RT-N65U
emailAddress=me@myhost.mydomain
issued on :2017-01-18 16:10:55
expires on :2027-01-18 16:10:55
signed using :RSA with SHA1
RSA key size :1024 bits
basic constraints :CA=false
cert. type :SSL Server
key usage :Digital Signature, Key Encipherment
ext key usage :TLS Web Server Authentication
08:24:26:979 -- Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the ServerKeyExchange handshake message failed
08:24:26:984 -- Client terminated, restarting in 2...
08:24:28:994 -- EVENT: RECONNECTING
08:24:29:000 -- EVENT: RESOLVE
08:24:29:005 -- Contacting <DESTINATION IP_redacted>:1194 via UDP
08:24:29:006 -- EVENT: WAIT
08:24:29:041 -- Connecting to [<DESTINATION IP_redacted>]:1194 (<DESTINATION IP_redacted>) via UDPv4
08:24:29:075 -- EVENT: CONNECTING
08:24:29:080 -- Tunnel Options:V4,dev-type tun,link-mtu 1158,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
08:24:29:080 -- Creds: Username/Password
08:24:29:080 -- Peer Info:
IV_GUI_VER=net.openvpn.connect.android 1.1.17-76
IV_VER=3.0.12
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
Here is the profile:
client
dev tun
proto udp
remote [IP REDACTED] 1194
float
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[REDACTED]
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
[REDACTED]
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
nobind
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Another another PolarSSL: ServerKeyExchange handshake failed error
I don't know if this is the cause, however, your client needs --key-direction 1 to use inline <tls-auth>
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jan 23, 2017 5:47 pm
Re: Another another PolarSSL: ServerKeyExchange handshake failed error
Good catch and thanks for the reply, however configuring key-direction did not seem to make any difference. :/
Does it matter where in the client config "key-direction" is? I put it right before <ca>.
Still seems odd to me that my Windows box was able to use the same config and connect without issue... so the App itself (whether it be the apps version/bugs) I still feel is to blame, not necessarily the config.
Does it matter where in the client config "key-direction" is? I put it right before <ca>.
Still seems odd to me that my Windows box was able to use the same config and connect without issue... so the App itself (whether it be the apps version/bugs) I still feel is to blame, not necessarily the config.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Another another PolarSSL: ServerKeyExchange handshake failed error
What version of openvpn on your server ?
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jan 23, 2017 5:47 pm
Re: Another another PolarSSL: ServerKeyExchange handshake failed error
I wish I knew, being embedded in the router firmware, I don't think I can answer that.TinCanTech wrote:What version of openvpn on your server ?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Another another PolarSSL: ServerKeyExchange handshake failed error
But you can find your server log ..cvanloon wrote:being embedded in the router firmware, I don't think I can answer that
Read the log ..cvanloon wrote:In the system logs on the Router/OpenVPN Server, we see:
Jan 20 08:24:26 openvpn[3287]: <SOURCEIP_redacted>:40235 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:40235, sid=788a686e 2d766483
The Config files and the Log files are the only way we can offer you support ..
Unless you prefer us to consult the openvpn Crystal Ball ?
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jan 23, 2017 5:47 pm
Re: Another another PolarSSL: ServerKeyExchange handshake failed error
Well, the error message, relevant to my config, that I posted obviously didn't have any version. However, I did look back into log entries from when I was playing with other configs and I found this: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 11 2015TinCanTech wrote:Read the log ..
So, 2.3.2.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Another another PolarSSL: ServerKeyExchange handshake failed error
I think you may need to create a new PKI at 2048bit .. 1024bit has recently been deemed to be weak and so not accepted by some SSL libraries.cvanloon wrote:RSA key size :1024 bits
basic constraints :CA=false
cert. type :SSL Server
key usage :Digital Signature, Key Encipherment
ext key usage :TLS Web Server Authentication
08:24:26:979 -- Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the ServerKeyExchange handshake message failed
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jan 23, 2017 5:47 pm
Re: Another another PolarSSL: ServerKeyExchange handshake failed error
Thanks man, I will give that a try!