XCA Certs Causing TLS Handshake Failed Errors

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
jgelinas3838
OpenVpn Newbie
Posts: 19
Joined: Sun Mar 12, 2017 3:29 pm

XCA Certs Causing TLS Handshake Failed Errors

Post by jgelinas3838 » Mon Mar 20, 2017 12:50 am

I'm using XCA with ssl version 1.02d to create my certificates and keys. I've tried every way from Sunday to create the certs. Same errors occur.

I generate my keys using the PEM (private pem) format.
I generate my certs using the PEM(*.crt) format.
I'm using the xca option of No BMP string, only printable and T61 as the easy rsa seems to do.
I export my keys for the server and it starts fine.
I export my keys for the client and get the follow tls errors on the client:

Sun Mar 19 17:45:36 2017 TLS: Initial packet from [AF_INET]220.220.200.102:1194, sid=bedb1bf5 b140f801
Sun Mar 19 17:45:36 2017 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=US, ST=NH, L=Manchester, O=jgelinas.com, OU=openvpn.jgelinas.com, CN=openvpn.jgelinas.com Server Certificate, emailAddress=jgelinas3333@gmail.com
Sun Mar 19 17:45:36 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Sun Mar 19 17:45:36 2017 TLS_ERROR: BIO read tls_read_plaintext error
Sun Mar 19 17:45:36 2017 TLS Error: TLS object -> incoming plaintext read error
Sun Mar 19 17:45:36 2017 TLS Error: TLS handshake failed
Sun Mar 19 17:45:36 2017 SIGUSR1[soft,tls-error] received, process restarting
Sun Mar 19 17:45:36 2017 MANAGEMENT: >STATE:1489959936,RECONNECTING,tls-error,,,,,
Sun Mar 19 17:45:36 2017 Restart pause, 5 second(s)
Sun Mar 19 17:45:41 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

I've list my server and client config files below.
When I create my certs using easy-rsa, everything works perfectly, but, again, I'd rather not use easy-rsa as I don't know what is going on under the covers there.

Server config file is as such:
server
server 10.8.0.0 255.255.255.0
dev tun
proto udp4
port 1194
topology subnet
stale-routes-check 240
connect-retry-max 5
float

persist-key
persist-tun
mlock
syslog OpenVPN
log c:\\openvpn\\log\\OpenVPNLog
status c:\\openvpn\\log\\openvpn-status.log
verb 5

push-peer-info
max-clients 10

tls-server


;ca c:\\openvpn\\easy-rsa\\keys\\ca.crt
;cert c:\\openvpn\\easy-rsa\\keys\\server.crt
;key c:\\openvpn\\easy-rsa\\keys\\server.key # This file should be kept secret

ca c:\\openvpn\\Certs\\Open_vpn_signing_CA.crt
cert c:\\openvpn\\certs\\Open_vpn_server_certificate.crt
key c:\\openvpn\\certs\\openvpnserverkey.pem # This file should be kept secret

dh c:\\OpenVPN\\easy-rsa\\keys\\dh1024.pem

# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth c:\\openvpn\\ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC


# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

Client config file is as such
client
client
remote 220.220.200.102
proto udp4
port 1194

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp4

tls-client
pull

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca c:\\openvpn\\ca.crt
;cert c:\\openvpn\\client1.crt
;key c:\\openvpn\\client1.key

ca c:\\openvpn\\certs\\open_vpn_signing_ca.crt
cert c:\\openvpn\\certs\\open_vpn_client_certificate.crt
key c:\\openvpn\\certs\\Openvpnclientkey.pem

dh c:\\openvpn\\dh1024.pem

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
;remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth c:\\openvpn\\ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: XCA Certs Causing TLS Handshake Failed Errors

Post by TiTex » Mon Mar 20, 2017 1:21 pm

why are all the duplicate options in your config

jgelinas3838
OpenVpn Newbie
Posts: 19
Joined: Sun Mar 12, 2017 3:29 pm

Re: XCA Certs Causing TLS Handshake Failed Errors

Post by jgelinas3838 » Mon Mar 20, 2017 10:03 pm

dupes are commented out - I expect you mean the ca, cert, and key dupes? Guess there are a few. I'd say ya, it's the dupes but, works fine with the easy-rsa generated certs. What I did notice is that the easy-rsa cert generated as the server cert views differently than my generated server cert from rsa.

easy-rsa:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=NH, L=Manchester, O=OpenVPN, OU=openvpn.jgelinas.com, CN=OpenVPNCA/name=Open VPN CA/emailAddress=jgelinas3333@gmail.com
Validity
Not Before: Mar 19 21:32:09 2017 GMT
Not After : Mar 17 21:32:09 2027 GMT
Subject: C=US, ST=NH, L=Manchester, O=OpenVPN, OU=openvpn.jgelinas.com, CN=OpenVPNServer/name=Open VPN Server/emailAddress=jgelinas3333@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:cd:11:74:6b:81:a4:95:b0:6c:0e:2d:4a:cb:04:
2f:cf:ad:12:39:25:61:ac:96:d1:6f:de:9c:41:63:
4f:6e:06:d7:a5:f8:82:1f:95:c3:46:c0:c0:e4:61:
0e:75:f7:05:4e:93:4d:17:0f:01:c7:a1:72:bb:33:
6a:d8:a2:63:5d:90:65:3b:f1:b1:48:d0:aa:af:72:
fa:4d:8f:56:23:a1:18:e5:c4:2f:88:73:65:4b:da:
54:1c:32:81:3b:3b:ed:83:8e:ae:70:46:3a:12:a1:
18:5a:52:7c:ac:8e:96:02:82:e9:c2:92:91:53:00:
e5:9f:9c:37:34:87:b9:bd:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
ED:00:1C:90:49:F4:24:71:16:F0:19:5B:33:F1:6E:0A:BA:7C:C4:62
X509v3 Authority Key Identifier:
keyid:94:70:E3:9E:C6:13:08:29:FE:48:4A:70:01:B7:61:B0:A3:5F:D3:FA
DirName:/C=US/ST=NH/L=Manchester/O=OpenVPN/OU=openvpn.jgelinas.com/CN=OpenVPNCA/name=Open VPN CA/emailAddress=jgelinas3333@gmail.com
serial:9F:02:E9:51:81:D4:2F:BD

X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: md5WithRSAEncryption
66:a9:68:74:19:85:0b:b9:86:67:6f:27:26:45:eb:c2:6c:e9:
96:28:d6:68:b7:17:f9:91:66:ad:3d:23:df:f2:81:c2:58:ac:
b2:c0:06:38:8f:f9:66:e2:2d:f6:53:c0:24:d5:d0:a9:4e:2b:
10:86:a7:d1:fb:26:3a:04:fc:fb:ef:31:fb:8c:7a:27:18:19:
de:82:82:13:a7:ce:43:af:30:f4:7b:d3:e6:e1:dc:da:e8:50:
a5:f2:40:72:fb:e1:2a:cf:42:1f:a4:15:71:86:50:01:30:6f:
93:dd:9e:fd:48:11:5b:6b:7e:0b:41:d9:93:78:5e:df:16:81:
4c:18
-----BEGIN CERTIFICATE-----
MIIEZjCCA8+gAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBsTELMAkGA1UEBhMCVVMx
etc..
cYZQATBvk92e/UgRW2t+C0HZk3he3xaBTBg=
-----END CERTIFICATE-----


My XCA generated server cert, generated using the XCA PEM private option:

-----BEGIN CERTIFICATE-----
MIIE/DCCA+SgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBojELMAkGA1UEBhMCVVMx
etc..
nVVJ7QzkVQK5GZnY28ZjJ2aWqCvVYy8h+XZLqMi2LPY=
-----END CERTIFICATE-----

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: XCA Certs Causing TLS Handshake Failed Errors

Post by TiTex » Tue Mar 21, 2017 1:02 pm

that doesn't matter , the actual base64 cert is between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
you can view the same info in your XCA generated cert with

Code: Select all

openssl x509 -in certificate.crt -noout -text

jgelinas3838
OpenVpn Newbie
Posts: 19
Joined: Sun Mar 12, 2017 3:29 pm

Re: XCA Certs Causing TLS Handshake Failed Errors

Post by jgelinas3838 » Wed Mar 22, 2017 2:48 pm

I agree, but, still, it's not working with the cert as it is output as indicated previously. TLS Handshake is failing and it only seems to work when I create a cert like easy-rsa created it, with -text. I have the server key, the server cert (in the format indicated above) and the CA key in the same folder and the config is pointing to each correctly. So, what would cause the TLS handshake to fail.

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: XCA Certs Causing TLS Handshake Failed Errors

Post by TiTex » Thu Mar 23, 2017 2:42 pm

I don't know , check permissions
Also post your current config without the commented out lines use this tag viewtopic.php?f=30&t=21589

jgelinas3838
OpenVpn Newbie
Posts: 19
Joined: Sun Mar 12, 2017 3:29 pm

Re: XCA Certs Causing TLS Handshake Failed Errors

Post by jgelinas3838 » Fri Mar 24, 2017 12:19 am

oconf= Server config file is as such:
server
server 10.8.0.0 255.255.255.0
dev tun
proto udp4
port 1194
topology subnet
stale-routes-check 240
connect-retry-max 5
float

persist-key
persist-tun
mlock
syslog OpenVPN
log c:\\openvpn\\log\\OpenVPNLog
status c:\\openvpn\\log\\openvpn-status.log
verb 5

push-peer-info
max-clients 10

tls-server


;ca c:\\openvpn\\easy-rsa\\keys\\ca.crt
;cert c:\\openvpn\\easy-rsa\\keys\\server.crt
;key c:\\openvpn\\easy-rsa\\keys\\server.key # This file should be kept secret

ca c:\\openvpn\\Certs\\Open_vpn_signing_CA.crt
cert c:\\openvpn\\certs\\Open_vpn_server_certificate.crt
key c:\\openvpn\\certs\\openvpnserverkey.pem # This file should be kept secret

dh c:\\OpenVPN\\easy-rsa\\keys\\dh1024.pem

# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth c:\\openvpn\\ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC


# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: XCA Certs Causing TLS Handshake Failed Errors

Post by TiTex » Wed Mar 29, 2017 7:53 am

can you post your CA cert ?
i feel like XCA gives the user to many options when creating the CA , which might be the cause of your issues

if you can't post the CA cert , create a new one and make sure that these Key Usage options are selected

Code: Select all

X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
usually you don't need any other options ( Key Usage or Extended Key Usage) for the CA

also , when creating client and server certs take a look at this diagram for the KU and EKU that need to be selected https://community.openvpn.net/openvpn/w ... nnectingto

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: XCA Certs Causing TLS Handshake Failed Errors

Post by Pippin » Wed Mar 29, 2017 10:47 am

Question if I'm allowed.

I always use XCA templates which I created some time ago.
Does KU and EKU Tab need to be critical on CA, server and client cert?
I`ve never ticked the the critical box and I can`t/couldn`t seem to find solid info on what it does for OpenVPN.
Tree forest story (:

Thanks.

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: XCA Certs Causing TLS Handshake Failed Errors

Post by TiTex » Wed Mar 29, 2017 11:22 am

if you ask me , i would only set the critical flag on options that need higher security like the CA:FALSE = cannot sing certs (i usually set this on server/client certs), in XCA you can set this on the Extensions tab > Basic Constraints > Type = End Entity , tick the Critical checkbox , or just leave it as not defined , won't do you any harm.
this blog post has a fairly good explanation http://www.securesenses.net/2013/05/x50 ... s-non.html

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: XCA Certs Causing TLS Handshake Failed Errors

Post by Pippin » Wed Mar 29, 2017 10:12 pm

Thanks @ sir TiTex

Post Reply