Another another PolarSSL: ServerKeyExchange handshake failed error

[cvanloon]

Hi All,

So I noticed that there have been other similar issues to this on the forums, however, I wasn't able to derive a solution for my situation from any of the previous posts. Hoping someone could take a look at my config and see if they notice anything odd. Basically my .ovpn profiles work on my Windows 7 desktop (just tried it for testing) but it won't work on any of my Android devices using OpenVPN Connect.

Here are the details and THANKS!:

Using my home router (Asus RT-N65U) as the VPN Server, I am able to issue an .ovpn profile file and import it into my Android and Windows devices. It doesn't allow my android devices to connect, using the OpenVPN Connect app. I believe the issue to be with the OpenVPN Connect app and/or its setting. I have tried to enable/disable multiple setting in the app, such as "VPN Protocol", "Compression", "Force AES-CBC ciphersuites", Minimum TLS version", DNS Fallback", etc.

I have tried it on multiple android devices. Same result on both.

Using the same profile, I am able to connect from a Windows 7 PC, from the same Source IP.


In the system logs on the Router/OpenVPN Server, we see:

Jan 20 08:24:26 openvpn[3287]: <SOURCEIP_redacted>:40235 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:40235, sid=788a686e 2d766483
Jan 20 08:24:29 openvpn[3287]: <SOURCEIP_redacted>:50580 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:50580, sid=1b22387e 7d855d41
Jan 20 08:24:31 openvpn[3287]: <SOURCEIP_redacted>:43392 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:43392, sid=1cb3343f 9496a1d6
Jan 20 08:24:33 openvpn[3287]: <SOURCEIP_redacted>:39421 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:39421, sid=638afb82 4c92f2c9

In the client OpenVPN logs, we see:

08:24:26:910 -- VERIFY OK: depth=0
cert. version :3
serial number :01
issuer name :C=TW, ST=TW, L=Taipei, O=Asus, CN=RT-N65U
emailAddress=me@myhost.mydomain
subject name :C=TW, ST=TW, L=Taipei, O=Asus, CN=RT-N65U
emailAddress=me@myhost.mydomain
issued on :2017-01-18 16:10:55
expires on :2027-01-18 16:10:55
signed using :RSA with SHA1
RSA key size :1024 bits
basic constraints :CA=false
cert. type :SSL Server
key usage :Digital Signature, Key Encipherment
ext key usage :TLS Web Server Authentication

08:24:26:979 -- Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the ServerKeyExchange handshake message failed
08:24:26:984 -- Client terminated, restarting in 2...
08:24:28:994 -- EVENT: RECONNECTING
08:24:29:000 -- EVENT: RESOLVE
08:24:29:005 -- Contacting <DESTINATION IP_redacted>:1194 via UDP
08:24:29:006 -- EVENT: WAIT
08:24:29:041 -- Connecting to [<DESTINATION IP_redacted>]:1194 (<DESTINATION IP_redacted>) via UDPv4
08:24:29:075 -- EVENT: CONNECTING
08:24:29:080 -- Tunnel Options:V4,dev-type tun,link-mtu 1158,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
08:24:29:080 -- Creds: Username/Password
08:24:29:080 -- Peer Info:
IV_GUI_VER=net.openvpn.connect.android 1.1.17-76
IV_VER=3.0.12
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1

Here is the profile:

client
dev tun
proto udp
remote [IP REDACTED] 1194
float
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[REDACTED]
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
[REDACTED]
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
nobind

[TinCanTech]

I don't know if this is the cause, however, your client needs --key-direction 1 to use inline <tls-auth>

[cvanloon]

Good catch and thanks for the reply, however configuring key-direction did not seem to make any difference. :/

Does it matter where in the client config "key-direction" is? I put it right before <ca>.

Still seems odd to me that my Windows box was able to use the same config and connect without issue... so the App itself (whether it be the apps version/bugs) I still feel is to blame, not necessarily the config.

[TinCanTech]

What version of openvpn on your server ?

[cvanloon]

What version of openvpn on your server ?

I wish I knew, being embedded in the router firmware, I don't think I can answer that.

[TinCanTech]

being embedded in the router firmware, I don't think I can answer that

But you can find your server log ..

In the system logs on the Router/OpenVPN Server, we see:

Jan 20 08:24:26 openvpn[3287]: <SOURCEIP_redacted>:40235 TLS: Initial packet from [AF_INET]<SOURCEIP_redacted>:40235, sid=788a686e 2d766483

Read the log ..


The Config files and the Log files are the only way we can offer you support ..
Unless you prefer us to consult the openvpn Crystal Ball ?

[cvanloon]

Read the log ..

Well, the error message, relevant to my config, that I posted obviously didn't have any version. However, I did look back into log entries from when I was playing with other configs and I found this: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 11 2015

So, 2.3.2.

[TinCanTech]

RSA key size :1024 bits
basic constraints :CA=false
cert. type :SSL Server
key usage :Digital Signature, Key Encipherment
ext key usage :TLS Web Server Authentication

08:24:26:979 -- Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the ServerKeyExchange handshake message failed

I think you may need to create a new PKI at 2048bit .. 1024bit has recently been deemed to be weak and so not accepted by some SSL libraries.

[cvanloon]

Thanks man, I will give that a try!