Setting simple OpenVPN using PKCS11 in Dockers

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
jjimenez-grd
OpenVpn Newbie
Posts: 3
Joined: Wed Jun 06, 2018 7:51 am

Setting simple OpenVPN using PKCS11 in Dockers

Post by jjimenez-grd » Wed Jun 06, 2018 8:57 am

Hi,

As I mentioned in the title, I'm trying to set up a simple OpenVPN which is able to use certs and keys from a PKCS#11 device, using our own library.

The point is that the errors I'm getting right now don't seem to be related to the PKCS#11 library itself, besides having no errors in library's log. It works with local cert and key files, however. More details below.

These are the configuration files:
Server Config

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
tls-server
dh /etc/openvpn/dh2048.pem
#ca /etc/openvpn/ca-chain.cert.pem
ca /tmp/ca.crt
#cert /tmp/ovpn-easy-server.crt
#key /tmp/ovpn-easy-server.key
server 10.8.0.0 255.255.255.0
#keysize 256
pkcs11-providers /usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so
pkcs11-id 'www\x2Egradiant\x2Eorg/API\x201\x2E0/SN00000001/BlackICEConnect/6F76706E2D736572766572'
pkcs11-pin-cache 600
pkcs11-cert-private 1

#cipher AES-256-CBC
cipher AES-256-GCM
keysize 256
#user nobody
#group nogroup
persist-key
persist-tun
log /tmp/ovpn-server.log
status /tmp/ovpn-status.log
verb 4
#verb 11
#verb 3
explicit-exit-notify 1

remote-cert-tls client
#auth none


Client Config

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
tls-client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
#dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
#dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
#proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
#remote my-server-1 1194
#remote 10.5.0.135 1194
#remote 172.17.0.2 1194
remote ovpn 1194
#remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
#remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
#user nobody
#group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
#;http-proxy-retry # retry on connection failures
#;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
#mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca /etc/openvpn/ca-chain.cert.pem
ca /tmp/ca.crt
#cert client.crt
#key client.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
#tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
#cipher AES-256-CBC
cipher AES-256-GCM

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 4

# Silence repeating messages
;mute 10

log /tmp/ovpn-client.log

## PKCS#11
pkcs11-providers /usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so
pkcs11-id 'www\x2Egradiant\x2Eorg/API\x201\x2E0/SN00000001/BlackICEConnect/6F76706E2D636C69656E74'
pkcs11-pin-cache 600
pkcs11-cert-private 1

keysize 256

nobind
#auth none

#cert /tmp/ovpn-easy-client.crt
#key /tmp/ovpn-easy-client.key


The error is (as you can see in server's log below) basically that server is not able to verify the authenticity of the client, although both certs are created directly inside PKCS#11 and they're both signed with the same CA.

Code: Select all

Wed Jun  6 08:38:28 2018 us=79220 Current Parameter Settings:
Wed Jun  6 08:38:28 2018 us=79271   config = 'ovpn-server.ovpn'
Wed Jun  6 08:38:28 2018 us=79291   mode = 1
Wed Jun  6 08:38:28 2018 us=79306   persist_config = DISABLED
Wed Jun  6 08:38:28 2018 us=79321   persist_mode = 1
Wed Jun  6 08:38:28 2018 us=79337   show_ciphers = DISABLED
Wed Jun  6 08:38:28 2018 us=79352   show_digests = DISABLED
Wed Jun  6 08:38:28 2018 us=79366   show_engines = DISABLED
Wed Jun  6 08:38:28 2018 us=79380   genkey = DISABLED
Wed Jun  6 08:38:28 2018 us=79395   key_pass_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=79409   show_tls_ciphers = DISABLED
Wed Jun  6 08:38:28 2018 us=79424   connect_retry_max = 0
Wed Jun  6 08:38:28 2018 us=79439 Connection profiles [0]:
Wed Jun  6 08:38:28 2018 us=79454   proto = udp
Wed Jun  6 08:38:28 2018 us=79469   local = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=79483   local_port = '1194'
Wed Jun  6 08:38:28 2018 us=79497   remote = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=79511   remote_port = '1194'
Wed Jun  6 08:38:28 2018 us=79526   remote_float = DISABLED
Wed Jun  6 08:38:28 2018 us=79540   bind_defined = DISABLED
Wed Jun  6 08:38:28 2018 us=79555   bind_local = ENABLED
Wed Jun  6 08:38:28 2018 us=79570   bind_ipv6_only = DISABLED
Wed Jun  6 08:38:28 2018 us=79585   connect_retry_seconds = 5
Wed Jun  6 08:38:28 2018 us=79599   connect_timeout = 120
Wed Jun  6 08:38:28 2018 us=79614   socks_proxy_server = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=79637   socks_proxy_port = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=79652   tun_mtu = 1500
Wed Jun  6 08:38:28 2018 us=79667   tun_mtu_defined = ENABLED
Wed Jun  6 08:38:28 2018 us=79681   link_mtu = 1500
Wed Jun  6 08:38:28 2018 us=79695   link_mtu_defined = DISABLED
Wed Jun  6 08:38:28 2018 us=79710   tun_mtu_extra = 0
Wed Jun  6 08:38:28 2018 us=79724   tun_mtu_extra_defined = DISABLED
Wed Jun  6 08:38:28 2018 us=79739   mtu_discover_type = -1
Wed Jun  6 08:38:28 2018 us=79753   fragment = 0
Wed Jun  6 08:38:28 2018 us=79768   mssfix = 1450
Wed Jun  6 08:38:28 2018 us=79782   explicit_exit_notification = 1
Wed Jun  6 08:38:28 2018 us=79798 Connection profiles END
Wed Jun  6 08:38:28 2018 us=79812   remote_random = DISABLED
Wed Jun  6 08:38:28 2018 us=79826   ipchange = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=79840   dev = 'tun'
Wed Jun  6 08:38:28 2018 us=79854   dev_type = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=79868   dev_node = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=79882   lladdr = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=79897   topology = 1
Wed Jun  6 08:38:28 2018 us=79912   ifconfig_local = '10.8.0.1'
Wed Jun  6 08:38:28 2018 us=79926   ifconfig_remote_netmask = '10.8.0.2'
Wed Jun  6 08:38:28 2018 us=79940   ifconfig_noexec = DISABLED
Wed Jun  6 08:38:28 2018 us=79954   ifconfig_nowarn = DISABLED
Wed Jun  6 08:38:28 2018 us=79968   ifconfig_ipv6_local = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=79983   ifconfig_ipv6_netbits = 0
Wed Jun  6 08:38:28 2018 us=79997   ifconfig_ipv6_remote = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80012   shaper = 0
Wed Jun  6 08:38:28 2018 us=80027   mtu_test = 0
Wed Jun  6 08:38:28 2018 us=80041   mlock = DISABLED
Wed Jun  6 08:38:28 2018 us=80055   keepalive_ping = 0
Wed Jun  6 08:38:28 2018 us=80070   keepalive_timeout = 0
Wed Jun  6 08:38:28 2018 us=80084   inactivity_timeout = 0
Wed Jun  6 08:38:28 2018 us=80099   ping_send_timeout = 0
Wed Jun  6 08:38:28 2018 us=80113   ping_rec_timeout = 0
Wed Jun  6 08:38:28 2018 us=80129   ping_rec_timeout_action = 0
Wed Jun  6 08:38:28 2018 us=80145   ping_timer_remote = DISABLED
Wed Jun  6 08:38:28 2018 us=80170   remap_sigusr1 = 0
Wed Jun  6 08:38:28 2018 us=80190   persist_tun = ENABLED
Wed Jun  6 08:38:28 2018 us=80205   persist_local_ip = DISABLED
Wed Jun  6 08:38:28 2018 us=80219   persist_remote_ip = DISABLED
Wed Jun  6 08:38:28 2018 us=80234   persist_key = ENABLED
Wed Jun  6 08:38:28 2018 us=80249   passtos = DISABLED
Wed Jun  6 08:38:28 2018 us=80264   resolve_retry_seconds = 1000000000
Wed Jun  6 08:38:28 2018 us=80278   resolve_in_advance = DISABLED
Wed Jun  6 08:38:28 2018 us=80292   username = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80315   groupname = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80331   chroot_dir = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80346   cd_dir = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80360   writepid = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80375   up_script = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80389   down_script = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80403   down_pre = DISABLED
Wed Jun  6 08:38:28 2018 us=80417   up_restart = DISABLED
Wed Jun  6 08:38:28 2018 us=80432   up_delay = DISABLED
Wed Jun  6 08:38:28 2018 us=80446   daemon = DISABLED
Wed Jun  6 08:38:28 2018 us=80460   inetd = 0
Wed Jun  6 08:38:28 2018 us=80475   log = ENABLED
Wed Jun  6 08:38:28 2018 us=80488   suppress_timestamps = DISABLED
Wed Jun  6 08:38:28 2018 us=80503   machine_readable_output = DISABLED
Wed Jun  6 08:38:28 2018 us=80519   nice = 0
Wed Jun  6 08:38:28 2018 us=80533   verbosity = 4
Wed Jun  6 08:38:28 2018 us=80548   mute = 0
Wed Jun  6 08:38:28 2018 us=80563   gremlin = 0
Wed Jun  6 08:38:28 2018 us=80581   status_file = '/tmp/ovpn-status.log'
Wed Jun  6 08:38:28 2018 us=80597   status_file_version = 1
Wed Jun  6 08:38:28 2018 us=80611   status_file_update_freq = 60
Wed Jun  6 08:38:28 2018 us=80626   occ = ENABLED
Wed Jun  6 08:38:28 2018 us=80640   rcvbuf = 0
Wed Jun  6 08:38:28 2018 us=80655   sndbuf = 0
Wed Jun  6 08:38:28 2018 us=80670   mark = 0
Wed Jun  6 08:38:28 2018 us=80684   sockflags = 0
Wed Jun  6 08:38:28 2018 us=80697   fast_io = DISABLED
Wed Jun  6 08:38:28 2018 us=80711   comp.alg = 0
Wed Jun  6 08:38:28 2018 us=80726   comp.flags = 0
Wed Jun  6 08:38:28 2018 us=80740   route_script = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80754   route_default_gateway = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80770   route_default_metric = 0
Wed Jun  6 08:38:28 2018 us=80785   route_noexec = DISABLED
Wed Jun  6 08:38:28 2018 us=80800   route_delay = 0
Wed Jun  6 08:38:28 2018 us=80814   route_delay_window = 30
Wed Jun  6 08:38:28 2018 us=80828   route_delay_defined = DISABLED
Wed Jun  6 08:38:28 2018 us=80843   route_nopull = DISABLED
Wed Jun  6 08:38:28 2018 us=80858   route_gateway_via_dhcp = DISABLED
Wed Jun  6 08:38:28 2018 us=80873   allow_pull_fqdn = DISABLED
Wed Jun  6 08:38:28 2018 us=80888   route 10.8.0.0/255.255.255.0/default (not set)/default (not set)
Wed Jun  6 08:38:28 2018 us=80904   management_addr = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80919   management_port = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80933   management_user_pass = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80948   management_log_history_cache = 250
Wed Jun  6 08:38:28 2018 us=80963   management_echo_buffer_size = 100
Wed Jun  6 08:38:28 2018 us=80978   management_write_peer_info_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=80993   management_client_user = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81008   management_client_group = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81023   management_flags = 0
Wed Jun  6 08:38:28 2018 us=81039   shared_secret_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81054   key_direction = 0
Wed Jun  6 08:38:28 2018 us=81069   ciphername = 'AES-256-GCM'
Wed Jun  6 08:38:28 2018 us=81083   ncp_enabled = ENABLED
Wed Jun  6 08:38:28 2018 us=81114   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Wed Jun  6 08:38:28 2018 us=81135   authname = 'SHA1'
Wed Jun  6 08:38:28 2018 us=81151   prng_hash = 'SHA1'
Wed Jun  6 08:38:28 2018 us=81166   prng_nonce_secret_len = 16
Wed Jun  6 08:38:28 2018 us=81181   keysize = 32
Wed Jun  6 08:38:28 2018 us=81196   engine = DISABLED
Wed Jun  6 08:38:28 2018 us=81210   replay = ENABLED
Wed Jun  6 08:38:28 2018 us=81224   mute_replay_warnings = DISABLED
Wed Jun  6 08:38:28 2018 us=81239   replay_window = 64
Wed Jun  6 08:38:28 2018 us=81254   replay_time = 15
Wed Jun  6 08:38:28 2018 us=81268   packet_id_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81284   use_iv = ENABLED
Wed Jun  6 08:38:28 2018 us=81298   test_crypto = DISABLED
Wed Jun  6 08:38:28 2018 us=81313   tls_server = ENABLED
Wed Jun  6 08:38:28 2018 us=81328   tls_client = DISABLED
Wed Jun  6 08:38:28 2018 us=81343   key_method = 2
Wed Jun  6 08:38:28 2018 us=81365   ca_file = '/tmp/ca.crt'
Wed Jun  6 08:38:28 2018 us=81380   ca_path = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81395   dh_file = '/etc/openvpn/dh2048.pem'
Wed Jun  6 08:38:28 2018 us=81410   cert_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81426   extra_certs_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81441   priv_key_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81455   pkcs12_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81470   cipher_list = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81485   tls_verify = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81500   tls_export_cert = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81514   verify_x509_type = 0
Wed Jun  6 08:38:28 2018 us=81529   verify_x509_name = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81544   crl_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81559   ns_cert_type = 0
Wed Jun  6 08:38:28 2018 us=81574   remote_cert_ku[i] = 65535
Wed Jun  6 08:38:28 2018 us=81589   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81604   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81618   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81632   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81648   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81663   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81677   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81691   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81706   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81721   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81735   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81750   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81764   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81779   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81794   remote_cert_ku[i] = 0
Wed Jun  6 08:38:28 2018 us=81809   remote_cert_eku = 'TLS Web Client Authentication'
Wed Jun  6 08:38:28 2018 us=81824   ssl_flags = 0
Wed Jun  6 08:38:28 2018 us=81838   tls_timeout = 2
Wed Jun  6 08:38:28 2018 us=81853   renegotiate_bytes = -1
Wed Jun  6 08:38:28 2018 us=81867   renegotiate_packets = 0
Wed Jun  6 08:38:28 2018 us=81882   renegotiate_seconds = 3600
Wed Jun  6 08:38:28 2018 us=81897   handshake_window = 60
Wed Jun  6 08:38:28 2018 us=81912   transition_window = 3600
Wed Jun  6 08:38:28 2018 us=81926   single_session = DISABLED
Wed Jun  6 08:38:28 2018 us=81941   push_peer_info = DISABLED
Wed Jun  6 08:38:28 2018 us=81955   tls_exit = DISABLED
Wed Jun  6 08:38:28 2018 us=81970   tls_auth_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81984   tls_crypt_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=81999   pkcs11_providers = /usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so
Wed Jun  6 08:38:28 2018 us=82014   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82030   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82044   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82066   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82081   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82096   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82111   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82125   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82140   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82155   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82169   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82183   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82197   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82212   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82226   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82241   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:28 2018 us=82257   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82271   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82292   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82308   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82322   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82337   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82352   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82367   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82381   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82396   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82410   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82424   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82439   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82453   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82467   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82482   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:28 2018 us=82497   pkcs11_cert_private = ENABLED
Wed Jun  6 08:38:28 2018 us=82511   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82525   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82540   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82554   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82569   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82583   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82597   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82612   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82626   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82641   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82655   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82669   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82684   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82698   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82713   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:28 2018 us=82728   pkcs11_pin_cache_period = 600
Wed Jun  6 08:38:28 2018 us=82743   pkcs11_id = 'www\x2Egradiant\x2Eorg/API\x201\x2E0/SN00000001/BlackICEConnect/6F76706E2D736572766572'
Wed Jun  6 08:38:28 2018 us=82758   pkcs11_id_management = DISABLED
Wed Jun  6 08:38:28 2018 us=82775   server_network = 10.8.0.0
Wed Jun  6 08:38:28 2018 us=82803   server_netmask = 255.255.255.0
Wed Jun  6 08:38:28 2018 us=82822   server_network_ipv6 = ::
Wed Jun  6 08:38:28 2018 us=82837   server_netbits_ipv6 = 0
Wed Jun  6 08:38:28 2018 us=82853   server_bridge_ip = 0.0.0.0
Wed Jun  6 08:38:28 2018 us=82869   server_bridge_netmask = 0.0.0.0
Wed Jun  6 08:38:28 2018 us=82885   server_bridge_pool_start = 0.0.0.0
Wed Jun  6 08:38:28 2018 us=82900   server_bridge_pool_end = 0.0.0.0
Wed Jun  6 08:38:28 2018 us=82915   push_entry = 'route 10.8.0.1'
Wed Jun  6 08:38:28 2018 us=82929   push_entry = 'topology net30'
Wed Jun  6 08:38:28 2018 us=82944   ifconfig_pool_defined = ENABLED
Wed Jun  6 08:38:28 2018 us=82959   ifconfig_pool_start = 10.8.0.4
Wed Jun  6 08:38:28 2018 us=82975   ifconfig_pool_end = 10.8.0.251
Wed Jun  6 08:38:28 2018 us=82991   ifconfig_pool_netmask = 0.0.0.0
Wed Jun  6 08:38:28 2018 us=83007   ifconfig_pool_persist_filename = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=83026   ifconfig_pool_persist_refresh_freq = 600
Wed Jun  6 08:38:28 2018 us=83050   ifconfig_ipv6_pool_defined = DISABLED
Wed Jun  6 08:38:28 2018 us=83076   ifconfig_ipv6_pool_base = ::
Wed Jun  6 08:38:28 2018 us=83101   ifconfig_ipv6_pool_netbits = 0
Wed Jun  6 08:38:28 2018 us=83123   n_bcast_buf = 256
Wed Jun  6 08:38:28 2018 us=83139   tcp_queue_limit = 64
Wed Jun  6 08:38:28 2018 us=83154   real_hash_size = 256
Wed Jun  6 08:38:28 2018 us=83168   virtual_hash_size = 256
Wed Jun  6 08:38:28 2018 us=83183   client_connect_script = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=83197   learn_address_script = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=83212   client_disconnect_script = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=83226   client_config_dir = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=83241   ccd_exclusive = DISABLED
Wed Jun  6 08:38:28 2018 us=83266   tmp_dir = '/tmp'
Wed Jun  6 08:38:28 2018 us=83292   push_ifconfig_defined = DISABLED
Wed Jun  6 08:38:28 2018 us=83318   push_ifconfig_local = 0.0.0.0
Wed Jun  6 08:38:28 2018 us=83344   push_ifconfig_remote_netmask = 0.0.0.0
Wed Jun  6 08:38:28 2018 us=83372   push_ifconfig_ipv6_defined = DISABLED
Wed Jun  6 08:38:28 2018 us=83390   push_ifconfig_ipv6_local = ::/0
Wed Jun  6 08:38:28 2018 us=83405   push_ifconfig_ipv6_remote = ::
Wed Jun  6 08:38:28 2018 us=83419   enable_c2c = DISABLED
Wed Jun  6 08:38:28 2018 us=83435   duplicate_cn = DISABLED
Wed Jun  6 08:38:28 2018 us=83450   cf_max = 0
Wed Jun  6 08:38:28 2018 us=83465   cf_per = 0
Wed Jun  6 08:38:28 2018 us=83480   max_clients = 1024
Wed Jun  6 08:38:28 2018 us=83495   max_routes_per_client = 256
Wed Jun  6 08:38:28 2018 us=83518   auth_user_pass_verify_script = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=83543   auth_user_pass_verify_script_via_file = DISABLED
Wed Jun  6 08:38:28 2018 us=83568   auth_token_generate = DISABLED
Wed Jun  6 08:38:28 2018 us=83594   auth_token_lifetime = 0
Wed Jun  6 08:38:28 2018 us=83619   port_share_host = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=83643   port_share_port = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=83669   client = DISABLED
Wed Jun  6 08:38:28 2018 us=83695   pull = DISABLED
Wed Jun  6 08:38:28 2018 us=83720   auth_user_pass_file = '[UNDEF]'
Wed Jun  6 08:38:28 2018 us=83747 OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  3 2017
Wed Jun  6 08:38:28 2018 us=83783 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed Jun  6 08:38:28 2018 us=83981 PKCS#11: Adding PKCS#11 provider '/usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so'
Wed Jun  6 08:38:28 2018 us=86182 WARNING: --keepalive option is missing from server config
Wed Jun  6 08:38:28 2018 us=86458 Diffie-Hellman initialized with 2048 bit key
Wed Jun  6 08:38:31 2018 us=432045 TLS-Auth MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Jun  6 08:38:31 2018 us=432295 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
Wed Jun  6 08:38:31 2018 us=432647 TUN/TAP device tun0 opened
Wed Jun  6 08:38:31 2018 us=432679 TUN/TAP TX queue length set to 100
Wed Jun  6 08:38:31 2018 us=432705 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun  6 08:38:31 2018 us=432731 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun  6 08:38:31 2018 us=434765 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun  6 08:38:31 2018 us=436485 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Jun  6 08:38:31 2018 us=438049 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Jun  6 08:38:31 2018 us=438087 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jun  6 08:38:31 2018 us=438113 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun  6 08:38:31 2018 us=438135 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jun  6 08:38:31 2018 us=438150 UDPv4 link remote: [AF_UNSPEC]
Wed Jun  6 08:38:31 2018 us=438172 MULTI: multi_init called, r=256 v=256
Wed Jun  6 08:38:31 2018 us=438204 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Jun  6 08:38:31 2018 us=438237 Initialization Sequence Completed
Wed Jun  6 08:38:38 2018 us=875825 MULTI: multi_create_instance called
Wed Jun  6 08:38:38 2018 us=875882 172.17.0.2:56742 Re-using SSL/TLS context
Wed Jun  6 08:38:38 2018 us=876005 172.17.0.2:56742 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Jun  6 08:38:38 2018 us=876028 172.17.0.2:56742 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Jun  6 08:38:38 2018 us=876073 172.17.0.2:56742 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Wed Jun  6 08:38:38 2018 us=876089 172.17.0.2:56742 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Wed Jun  6 08:38:38 2018 us=876130 172.17.0.2:56742 TLS: Initial packet from [AF_INET]172.17.0.2:56742, sid=aca2dcb6 36b3f1ef
Wed Jun  6 08:38:42 2018 us=185619 172.17.0.2:56742 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jun  6 08:38:42 2018 us=185699 172.17.0.2:56742 VERIFY ERROR: depth=0, error=certificate signature failure: C=ES, ST=Galicia, L=Vigo, O=Gradiant, OU=Grd Security, CN=ovpn-client, emailAddress=jjimenez@gradiant.org
Wed Jun  6 08:38:42 2018 us=185767 172.17.0.2:56742 OpenSSL: error:14089086:lib(20):func(137):reason(134)
Wed Jun  6 08:38:42 2018 us=185788 172.17.0.2:56742 TLS_ERROR: BIO read tls_read_plaintext error
Wed Jun  6 08:38:42 2018 us=185811 172.17.0.2:56742 TLS Error: TLS object -> incoming plaintext read error
Wed Jun  6 08:38:42 2018 us=185827 172.17.0.2:56742 TLS Error: TLS handshake failed
Wed Jun  6 08:38:42 2018 us=185904 172.17.0.2:56742 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Jun  6 08:38:46 2018 us=616313 event_wait : Interrupted system call (code=4)
Wed Jun  6 08:38:48 2018 us=618557 TCP/UDP: Closing socket
Wed Jun  6 08:38:48 2018 us=618673 /sbin/ip route del 10.8.0.0/24
Wed Jun  6 08:38:48 2018 us=620590 Closing TUN/TAP interface
Wed Jun  6 08:38:48 2018 us=620665 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun  6 08:38:48 2018 us=645444 SIGINT[hard,] received, process exiting

Code: Select all

Wed Jun  6 08:38:34 2018 us=887035 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Wed Jun  6 08:38:34 2018 us=887111 Current Parameter Settings:
Wed Jun  6 08:38:34 2018 us=887132   config = 'ovpn-client.ovpn'
Wed Jun  6 08:38:34 2018 us=887156   mode = 0
Wed Jun  6 08:38:34 2018 us=887173   persist_config = DISABLED
Wed Jun  6 08:38:34 2018 us=887188   persist_mode = 1
Wed Jun  6 08:38:34 2018 us=887201   show_ciphers = DISABLED
Wed Jun  6 08:38:34 2018 us=887215   show_digests = DISABLED
Wed Jun  6 08:38:34 2018 us=887228   show_engines = DISABLED
Wed Jun  6 08:38:34 2018 us=887241   genkey = DISABLED
Wed Jun  6 08:38:34 2018 us=887254   key_pass_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887268   show_tls_ciphers = DISABLED
Wed Jun  6 08:38:34 2018 us=887282   connect_retry_max = 0
Wed Jun  6 08:38:34 2018 us=887295 Connection profiles [0]:
Wed Jun  6 08:38:34 2018 us=887309   proto = udp
Wed Jun  6 08:38:34 2018 us=887322   local = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887335   local_port = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887349   remote = 'ovpn'
Wed Jun  6 08:38:34 2018 us=887363   remote_port = '1194'
Wed Jun  6 08:38:34 2018 us=887376   remote_float = DISABLED
Wed Jun  6 08:38:34 2018 us=887389   bind_defined = DISABLED
Wed Jun  6 08:38:34 2018 us=887403   bind_local = DISABLED
Wed Jun  6 08:38:34 2018 us=887416   bind_ipv6_only = DISABLED
Wed Jun  6 08:38:34 2018 us=887429   connect_retry_seconds = 5
Wed Jun  6 08:38:34 2018 us=887442   connect_timeout = 120
Wed Jun  6 08:38:34 2018 us=887456   socks_proxy_server = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887469   socks_proxy_port = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887482   tun_mtu = 1500
Wed Jun  6 08:38:34 2018 us=887496   tun_mtu_defined = ENABLED
Wed Jun  6 08:38:34 2018 us=887509   link_mtu = 1500
Wed Jun  6 08:38:34 2018 us=887522   link_mtu_defined = DISABLED
Wed Jun  6 08:38:34 2018 us=887535   tun_mtu_extra = 0
Wed Jun  6 08:38:34 2018 us=887551   tun_mtu_extra_defined = DISABLED
Wed Jun  6 08:38:34 2018 us=887574   mtu_discover_type = -1
Wed Jun  6 08:38:34 2018 us=887595   fragment = 0
Wed Jun  6 08:38:34 2018 us=887618   mssfix = 1450
Wed Jun  6 08:38:34 2018 us=887636   explicit_exit_notification = 0
Wed Jun  6 08:38:34 2018 us=887650 Connection profiles END
Wed Jun  6 08:38:34 2018 us=887663   remote_random = DISABLED
Wed Jun  6 08:38:34 2018 us=887677   ipchange = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887691   dev = 'tun'
Wed Jun  6 08:38:34 2018 us=887713   dev_type = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887729   dev_node = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887744   lladdr = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887764   topology = 1
Wed Jun  6 08:38:34 2018 us=887783   ifconfig_local = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887797   ifconfig_remote_netmask = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887810   ifconfig_noexec = DISABLED
Wed Jun  6 08:38:34 2018 us=887824   ifconfig_nowarn = DISABLED
Wed Jun  6 08:38:34 2018 us=887837   ifconfig_ipv6_local = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887850   ifconfig_ipv6_netbits = 0
Wed Jun  6 08:38:34 2018 us=887864   ifconfig_ipv6_remote = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=887878   shaper = 0
Wed Jun  6 08:38:34 2018 us=887892   mtu_test = 0
Wed Jun  6 08:38:34 2018 us=887905   mlock = DISABLED
Wed Jun  6 08:38:34 2018 us=887919   keepalive_ping = 0
Wed Jun  6 08:38:34 2018 us=887932   keepalive_timeout = 0
Wed Jun  6 08:38:34 2018 us=887946   inactivity_timeout = 0
Wed Jun  6 08:38:34 2018 us=887960   ping_send_timeout = 0
Wed Jun  6 08:38:34 2018 us=887973   ping_rec_timeout = 0
Wed Jun  6 08:38:34 2018 us=887988   ping_rec_timeout_action = 0
Wed Jun  6 08:38:34 2018 us=888002   ping_timer_remote = DISABLED
Wed Jun  6 08:38:34 2018 us=888016   remap_sigusr1 = 0
Wed Jun  6 08:38:34 2018 us=888030   persist_tun = ENABLED
Wed Jun  6 08:38:34 2018 us=888043   persist_local_ip = DISABLED
Wed Jun  6 08:38:34 2018 us=888057   persist_remote_ip = DISABLED
Wed Jun  6 08:38:34 2018 us=888070   persist_key = ENABLED
Wed Jun  6 08:38:34 2018 us=888083   passtos = DISABLED
Wed Jun  6 08:38:34 2018 us=888107   resolve_retry_seconds = 1000000000
Wed Jun  6 08:38:34 2018 us=888122   resolve_in_advance = DISABLED
Wed Jun  6 08:38:34 2018 us=888135   username = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888149   groupname = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888162   chroot_dir = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888175   cd_dir = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888188   writepid = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888201   up_script = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888215   down_script = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888228   down_pre = DISABLED
Wed Jun  6 08:38:34 2018 us=888241   up_restart = DISABLED
Wed Jun  6 08:38:34 2018 us=888254   up_delay = DISABLED
Wed Jun  6 08:38:34 2018 us=888266   daemon = DISABLED
Wed Jun  6 08:38:34 2018 us=888280   inetd = 0
Wed Jun  6 08:38:34 2018 us=888294   log = ENABLED
Wed Jun  6 08:38:34 2018 us=888308   suppress_timestamps = DISABLED
Wed Jun  6 08:38:34 2018 us=888321   machine_readable_output = DISABLED
Wed Jun  6 08:38:34 2018 us=888335   nice = 0
Wed Jun  6 08:38:34 2018 us=888348   verbosity = 4
Wed Jun  6 08:38:34 2018 us=888361   mute = 0
Wed Jun  6 08:38:34 2018 us=888375   gremlin = 0
Wed Jun  6 08:38:34 2018 us=888388   status_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888401   status_file_version = 1
Wed Jun  6 08:38:34 2018 us=888414   status_file_update_freq = 60
Wed Jun  6 08:38:34 2018 us=888427   occ = ENABLED
Wed Jun  6 08:38:34 2018 us=888441   rcvbuf = 0
Wed Jun  6 08:38:34 2018 us=888454   sndbuf = 0
Wed Jun  6 08:38:34 2018 us=888467   mark = 0
Wed Jun  6 08:38:34 2018 us=888480   sockflags = 0
Wed Jun  6 08:38:34 2018 us=888493   fast_io = DISABLED
Wed Jun  6 08:38:34 2018 us=888507   comp.alg = 0
Wed Jun  6 08:38:34 2018 us=888520   comp.flags = 0
Wed Jun  6 08:38:34 2018 us=888533   route_script = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888547   route_default_gateway = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888560   route_default_metric = 0
Wed Jun  6 08:38:34 2018 us=888577   route_noexec = DISABLED
Wed Jun  6 08:38:34 2018 us=888592   route_delay = 0
Wed Jun  6 08:38:34 2018 us=888607   route_delay_window = 30
Wed Jun  6 08:38:34 2018 us=888620   route_delay_defined = DISABLED
Wed Jun  6 08:38:34 2018 us=888634   route_nopull = DISABLED
Wed Jun  6 08:38:34 2018 us=888647   route_gateway_via_dhcp = DISABLED
Wed Jun  6 08:38:34 2018 us=888660   allow_pull_fqdn = DISABLED
Wed Jun  6 08:38:34 2018 us=888674   management_addr = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888688   management_port = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888702   management_user_pass = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888716   management_log_history_cache = 250
Wed Jun  6 08:38:34 2018 us=888730   management_echo_buffer_size = 100
Wed Jun  6 08:38:34 2018 us=888744   management_write_peer_info_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888757   management_client_user = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888771   management_client_group = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888786   management_flags = 0
Wed Jun  6 08:38:34 2018 us=888799   shared_secret_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=888813   key_direction = 0
Wed Jun  6 08:38:34 2018 us=888827   ciphername = 'AES-256-GCM'
Wed Jun  6 08:38:34 2018 us=888841   ncp_enabled = DISABLED
Wed Jun  6 08:38:34 2018 us=888855   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Wed Jun  6 08:38:34 2018 us=888869   authname = 'SHA1'
Wed Jun  6 08:38:34 2018 us=888883   prng_hash = 'SHA1'
Wed Jun  6 08:38:34 2018 us=888897   prng_nonce_secret_len = 16
Wed Jun  6 08:38:34 2018 us=888910   keysize = 32
Wed Jun  6 08:38:34 2018 us=888924   engine = DISABLED
Wed Jun  6 08:38:34 2018 us=888938   replay = ENABLED
Wed Jun  6 08:38:34 2018 us=888953   mute_replay_warnings = DISABLED
Wed Jun  6 08:38:34 2018 us=888966   replay_window = 64
Wed Jun  6 08:38:34 2018 us=888981   replay_time = 15
Wed Jun  6 08:38:34 2018 us=888994   packet_id_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889008   use_iv = ENABLED
Wed Jun  6 08:38:34 2018 us=889022   test_crypto = DISABLED
Wed Jun  6 08:38:34 2018 us=889036   tls_server = DISABLED
Wed Jun  6 08:38:34 2018 us=889064   tls_client = ENABLED
Wed Jun  6 08:38:34 2018 us=889091   key_method = 2
Wed Jun  6 08:38:34 2018 us=889128   ca_file = '/tmp/ca.crt'
Wed Jun  6 08:38:34 2018 us=889151   ca_path = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889173   dh_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889191   cert_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889205   extra_certs_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889219   priv_key_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889233   pkcs12_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889247   cipher_list = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889260   tls_verify = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889274   tls_export_cert = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889287   verify_x509_type = 0
Wed Jun  6 08:38:34 2018 us=889301   verify_x509_name = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889315   crl_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889328   ns_cert_type = 0
Wed Jun  6 08:38:34 2018 us=889343   remote_cert_ku[i] = 65535
Wed Jun  6 08:38:34 2018 us=889357   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889370   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889384   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889398   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889411   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889425   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889438   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889452   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889466   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889480   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889493   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889506   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889520   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889533   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889547   remote_cert_ku[i] = 0
Wed Jun  6 08:38:34 2018 us=889561   remote_cert_eku = 'TLS Web Server Authentication'
Wed Jun  6 08:38:34 2018 us=889575   ssl_flags = 0
Wed Jun  6 08:38:34 2018 us=889589   tls_timeout = 2
Wed Jun  6 08:38:34 2018 us=889602   renegotiate_bytes = -1
Wed Jun  6 08:38:34 2018 us=889615   renegotiate_packets = 0
Wed Jun  6 08:38:34 2018 us=889629   renegotiate_seconds = 3600
Wed Jun  6 08:38:34 2018 us=889643   handshake_window = 60
Wed Jun  6 08:38:34 2018 us=889656   transition_window = 3600
Wed Jun  6 08:38:34 2018 us=889670   single_session = DISABLED
Wed Jun  6 08:38:34 2018 us=889684   push_peer_info = DISABLED
Wed Jun  6 08:38:34 2018 us=889697   tls_exit = DISABLED
Wed Jun  6 08:38:34 2018 us=889711   tls_auth_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889724   tls_crypt_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=889738   pkcs11_providers = /usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so
Wed Jun  6 08:38:34 2018 us=889752   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889773   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889793   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889807   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889820   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889833   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889847   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889861   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889875   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889888   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889902   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889915   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889928   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889942   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889955   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889968   pkcs11_protected_authentication = DISABLED
Wed Jun  6 08:38:34 2018 us=889990   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890005   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890020   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890033   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890047   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890060   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890074   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890087   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890100   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890115   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890128   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890142   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890155   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890168   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890182   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890196   pkcs11_private_mode = 00000000
Wed Jun  6 08:38:34 2018 us=890210   pkcs11_cert_private = ENABLED
Wed Jun  6 08:38:34 2018 us=890223   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890237   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890251   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890264   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890277   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890290   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890303   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890317   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890331   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890344   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890358   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890371   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890384   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890398   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890411   pkcs11_cert_private = DISABLED
Wed Jun  6 08:38:34 2018 us=890425   pkcs11_pin_cache_period = 600
Wed Jun  6 08:38:34 2018 us=890439   pkcs11_id = 'www\x2Egradiant\x2Eorg/API\x201\x2E0/SN00000001/BlackICEConnect/6F76706E2D636C69656E74'
Wed Jun  6 08:38:34 2018 us=890452   pkcs11_id_management = DISABLED
Wed Jun  6 08:38:34 2018 us=890467   server_network = 0.0.0.0
Wed Jun  6 08:38:34 2018 us=890482   server_netmask = 0.0.0.0
Wed Jun  6 08:38:34 2018 us=890505   server_network_ipv6 = ::
Wed Jun  6 08:38:34 2018 us=890520   server_netbits_ipv6 = 0
Wed Jun  6 08:38:34 2018 us=890535   server_bridge_ip = 0.0.0.0
Wed Jun  6 08:38:34 2018 us=890550   server_bridge_netmask = 0.0.0.0
Wed Jun  6 08:38:34 2018 us=890565   server_bridge_pool_start = 0.0.0.0
Wed Jun  6 08:38:34 2018 us=890580   server_bridge_pool_end = 0.0.0.0
Wed Jun  6 08:38:34 2018 us=890594   ifconfig_pool_defined = DISABLED
Wed Jun  6 08:38:34 2018 us=890608   ifconfig_pool_start = 0.0.0.0
Wed Jun  6 08:38:34 2018 us=890622   ifconfig_pool_end = 0.0.0.0
Wed Jun  6 08:38:34 2018 us=890637   ifconfig_pool_netmask = 0.0.0.0
Wed Jun  6 08:38:34 2018 us=890651   ifconfig_pool_persist_filename = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=890664   ifconfig_pool_persist_refresh_freq = 600
Wed Jun  6 08:38:34 2018 us=890678   ifconfig_ipv6_pool_defined = DISABLED
Wed Jun  6 08:38:34 2018 us=890692   ifconfig_ipv6_pool_base = ::
Wed Jun  6 08:38:34 2018 us=890706   ifconfig_ipv6_pool_netbits = 0
Wed Jun  6 08:38:34 2018 us=890720   n_bcast_buf = 256
Wed Jun  6 08:38:34 2018 us=890735   tcp_queue_limit = 64
Wed Jun  6 08:38:34 2018 us=890748   real_hash_size = 256
Wed Jun  6 08:38:34 2018 us=890762   virtual_hash_size = 256
Wed Jun  6 08:38:34 2018 us=890775   client_connect_script = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=890789   learn_address_script = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=890802   client_disconnect_script = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=890821   client_config_dir = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=890836   ccd_exclusive = DISABLED
Wed Jun  6 08:38:34 2018 us=890849   tmp_dir = '/tmp'
Wed Jun  6 08:38:34 2018 us=890863   push_ifconfig_defined = DISABLED
Wed Jun  6 08:38:34 2018 us=890877   push_ifconfig_local = 0.0.0.0
Wed Jun  6 08:38:34 2018 us=890891   push_ifconfig_remote_netmask = 0.0.0.0
Wed Jun  6 08:38:34 2018 us=890905   push_ifconfig_ipv6_defined = DISABLED
Wed Jun  6 08:38:34 2018 us=890920   push_ifconfig_ipv6_local = ::/0
Wed Jun  6 08:38:34 2018 us=890935   push_ifconfig_ipv6_remote = ::
Wed Jun  6 08:38:34 2018 us=890948   enable_c2c = DISABLED
Wed Jun  6 08:38:34 2018 us=890962   duplicate_cn = DISABLED
Wed Jun  6 08:38:34 2018 us=890975   cf_max = 0
Wed Jun  6 08:38:34 2018 us=890989   cf_per = 0
Wed Jun  6 08:38:34 2018 us=891003   max_clients = 1024
Wed Jun  6 08:38:34 2018 us=891017   max_routes_per_client = 256
Wed Jun  6 08:38:34 2018 us=891031   auth_user_pass_verify_script = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=891044   auth_user_pass_verify_script_via_file = DISABLED
Wed Jun  6 08:38:34 2018 us=891057   auth_token_generate = DISABLED
Wed Jun  6 08:38:34 2018 us=891070   auth_token_lifetime = 0
Wed Jun  6 08:38:34 2018 us=891084   port_share_host = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=891097   port_share_port = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=891110   client = DISABLED
Wed Jun  6 08:38:34 2018 us=891124   pull = DISABLED
Wed Jun  6 08:38:34 2018 us=891137   auth_user_pass_file = '[UNDEF]'
Wed Jun  6 08:38:34 2018 us=891152 OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  3 2017
Wed Jun  6 08:38:34 2018 us=891174 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed Jun  6 08:38:34 2018 us=891320 PKCS#11: Adding PKCS#11 provider '/usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so'
Wed Jun  6 08:38:38 2018 us=874871 Control Channel MTU parms [ L:1549 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Jun  6 08:38:38 2018 us=875289 TUN/TAP device tun0 opened
Wed Jun  6 08:38:38 2018 us=875330 TUN/TAP TX queue length set to 100
Wed Jun  6 08:38:38 2018 us=875379 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:394 ET:0 EL:3 ]
Wed Jun  6 08:38:38 2018 us=875409 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Wed Jun  6 08:38:38 2018 us=875425 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Wed Jun  6 08:38:38 2018 us=875445 TCP/UDP: Preserving recently used remote address: [AF_INET]172.17.0.3:1194
Wed Jun  6 08:38:38 2018 us=875473 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun  6 08:38:38 2018 us=875489 UDP link local: (not bound)
Wed Jun  6 08:38:38 2018 us=875506 UDP link remote: [AF_INET]172.17.0.3:1194
Wed Jun  6 08:38:38 2018 us=876286 TLS: Initial packet from [AF_INET]172.17.0.3:1194, sid=d3bc0100 390a1109
Wed Jun  6 08:38:40 2018 us=586195 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jun  6 08:38:40 2018 us=586524 VERIFY KU OK
Wed Jun  6 08:38:40 2018 us=586551 Validating certificate extended key usage
Wed Jun  6 08:38:40 2018 us=586569 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jun  6 08:38:40 2018 us=586584 VERIFY EKU OK
Wed Jun  6 08:38:40 2018 us=586599 VERIFY OK: depth=0, C=ES, ST=Galicia, L=Vigo, O=Gradiant, OU=Grd Security, CN=ovpn-server, emailAddress=jjimenez@gradiant.org
Wed Jun  6 08:38:48 2018 us=880696 event_wait : Interrupted system call (code=4)
Wed Jun  6 08:38:48 2018 us=880982 TCP/UDP: Closing socket
Wed Jun  6 08:38:48 2018 us=881049 Closing TUN/TAP interface
Wed Jun  6 08:38:48 2018 us=901207 SIGINT[hard,] received, process exiting
As you can see in the logs, client verifies server without trouble. It doesn't matter whether I use "AES-256-CBC" or "AES-256-GCM". If I don't set them in configuration files, it then mentions "Cipher algorithm 'BF-CBC' not found", which seems ok to me since it mentions that's one of the deprecated ones.

Code: Select all

$ openvpn --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN.  Each cipher shown below may be use as a
parameter to the --cipher option.  The default key size is
shown as well as whether or not it can be changed with the
--keysize directive.  Using a CBC or GCM mode is recommended.
In static key mode only CBC mode is allowed.

AES-128-CBC  (128 bit key, 128 bit block)
AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC  (192 bit key, 128 bit block)
AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC  (256 bit key, 128 bit block)
AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CBC  (128 bit key, 128 bit block)
CAMELLIA-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CBC  (192 bit key, 128 bit block)
CAMELLIA-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CBC  (256 bit key, 128 bit block)
CAMELLIA-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
SEED-CBC  (128 bit key, 128 bit block)
SEED-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
SEED-OFB  (128 bit key, 128 bit block, TLS client/server mode only)

The following ciphers have a block size of less than 128 bits, 
and are therefore deprecated.  Do not use unless you have to.

BF-CBC  (128 bit key by default, 64 bit block)
BF-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC  (128 bit key by default, 64 bit block)
CAST5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC  (64 bit key, 64 bit block)
DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC  (128 bit key, 64 bit block)
DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC  (192 bit key, 64 bit block)
DES-EDE3-CFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC  (192 bit key, 64 bit block)
RC2-40-CBC  (40 bit key by default, 64 bit block)
RC2-64-CBC  (64 bit key by default, 64 bit block)
RC2-CBC  (128 bit key by default, 64 bit block)
RC2-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
Server, on the other hand, can't verify client and TLS handshake fails.

At first, from error message it looks like server can't decrypt. However, server shows that in clear:

Code: Select all

C=ES, ST=Galicia, L=Vigo, O=Gradiant, OU=Grd Security, CN=ovpn-client, emailAddress=jjimenez@gradiant.org
So it could decrypt, right?

I've already tried:
  • Both a custom CA with a root-intermediate CA structure, which fails at Intermediate's CA level of depth (same error as above), and EasyRSA3.0 as well, which is the case showed above.
  • Getting completely rid of PKCS#11, building full server and client with EasyRSA. This worked, although, as I mentioned, there's absolutely no error in PKCS#11's log apart from CKR_ALREADY_INITIALIZED (which souldn't be a problem), it then calls C_SignInit and C_Sign and return CKR_OK.
  • Regenerating certs. I made sure client has EKU TLS Web client authentication (1.3.6.1.5.5.7.3.2) and server has TLS Web server authentication (1.3.6.1.5.5.7.3.1), which are the ones used in EasyRSA generated certs.
Any help will be greatly appreciated.

Thanks in advance.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting simple OpenVPN using PKCS11 in Dockers

Post by TinCanTech » Wed Jun 06, 2018 10:25 am

jjimenez-grd wrote:
Wed Jun 06, 2018 8:57 am
I'm trying to set up a simple OpenVPN which is able to use certs and keys from a PKCS#11 device, using our own library.
jjimenez-grd wrote:
Wed Jun 06, 2018 8:57 am
Wed Jun 6 08:38:42 2018 us=185699 172.17.0.2:56742 VERIFY ERROR: depth=0, error=certificate signature failure: C=ES, ST=Galicia, L=Vigo, O=Gradiant, OU=Grd Security, CN=ovpn-client, emailAddress=jjimenez@gradiant.org
Wed Jun 6 08:38:42 2018 us=185767 172.17.0.2:56742 OpenSSL: error:14089086:lib(20):func(137):reason(134)
It looks like there is something wrong with your library ..

jjimenez-grd
OpenVpn Newbie
Posts: 3
Joined: Wed Jun 06, 2018 7:51 am

Re: Setting simple OpenVPN using PKCS11 in Dockers

Post by jjimenez-grd » Wed Jun 06, 2018 3:34 pm

TinCanTech wrote:
Wed Jun 06, 2018 10:25 am
jjimenez-grd wrote:
Wed Jun 06, 2018 8:57 am
I'm trying to set up a simple OpenVPN which is able to use certs and keys from a PKCS#11 device, using our own library.
jjimenez-grd wrote:
Wed Jun 06, 2018 8:57 am
Wed Jun 6 08:38:42 2018 us=185699 172.17.0.2:56742 VERIFY ERROR: depth=0, error=certificate signature failure: C=ES, ST=Galicia, L=Vigo, O=Gradiant, OU=Grd Security, CN=ovpn-client, emailAddress=jjimenez@gradiant.org
Wed Jun 6 08:38:42 2018 us=185767 172.17.0.2:56742 OpenSSL: error:14089086:lib(20):func(137):reason(134)
It looks like there is something wrong with your library ..
Certs seem to be properly loaded, since the server receives the "C=ES, ST=Galicia, L=Vigo, O=Gradiant, OU=Grd Security, CN=ovpn-client, emailAddress=jjimenez@gradiant.org" which comes from client's cert, and viceversa.
Our logs show that C_Sign is called and returns OK, and there are no errors, so what could be wrong? The error is from OpenSSL itself, which shouldn't use our library at all after getting certs, should it?

By the way, I now received the

Code: Select all

Wed Jun  6 15:25:54 2018 us=611374 Cipher algorithm 'id-aes256-GCM' not found
Wed Jun  6 15:25:54 2018 us=611383 Cipher AES-256-GCM not supported
in the client, when using AES-256-GCM... Any idea to track it down?

Thanks.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting simple OpenVPN using PKCS11 in Dockers

Post by TinCanTech » Wed Jun 06, 2018 4:49 pm

jjimenez-grd wrote:
Wed Jun 06, 2018 3:34 pm
The error is from OpenSSL itself, which shouldn't use our library at all after getting certs, should it?
How would anybody here know what your library does ?

Can you replicate the error using only official openvpn release ?

jjimenez-grd
OpenVpn Newbie
Posts: 3
Joined: Wed Jun 06, 2018 7:51 am

Re: Setting simple OpenVPN using PKCS11 in Dockers

Post by jjimenez-grd » Thu Jun 07, 2018 8:23 am

TinCanTech wrote:
Wed Jun 06, 2018 4:49 pm
How would anybody here know what your library does ?
I'm not talking about our library. As a library, its functions are called from a main program, which is OpenVPN (through OpenSSL) in this particular case. My post is about how to track down the problem FROM OpenVPN, which is the program USING our library. I don't know about it and that's why I'm asking here.
TinCanTech wrote:
Wed Jun 06, 2018 4:49 pm
Can you replicate the error using only official openvpn release ?
As I said, when I used EasyRSA locally it worked. The point is what does it expect which is not correct or whatever, like a function returning X and not having filled Y buffer, something like that is what I want to find out.

Besides that, what does this have to do with the PKCS#11 library?

Code: Select all

Wed Jun  6 15:25:54 2018 us=611374 Cipher algorithm 'id-aes256-GCM' not found
Wed Jun  6 15:25:54 2018 us=611383 Cipher AES-256-GCM not supported
Thanks.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setting simple OpenVPN using PKCS11 in Dockers

Post by TinCanTech » Thu Jun 07, 2018 11:49 am

jjimenez-grd wrote:
Thu Jun 07, 2018 8:23 am
TinCanTech wrote:
Wed Jun 06, 2018 4:49 pm
Can you replicate the error using only official openvpn release ?
As I said, when I used EasyRSA locally it worked. The point is what does it expect which is not correct or whatever, like a function returning X and not having filled Y buffer, something like that is what I want to find out.
I am not sure you really answered my question but if you mean openvpn works with EasyRSA created PKI then look for what changed in your other scenario ..

I am guessing you are a developer so you may have more luck on the openvpn-users mailing list.
jjimenez-grd wrote:
Thu Jun 07, 2018 8:23 am
Besides that, what does this have to do with the PKCS#11 library?

Code: Select all

Wed Jun  6 15:25:54 2018 us=611374 Cipher algorithm 'id-aes256-GCM' not found
Wed Jun  6 15:25:54 2018 us=611383 Cipher AES-256-GCM not supported
Thanks.
Cipher algorithm 'id-aes256-GCM' not found .. to my knowledge there is no such cipher name.

Cipher AES-256-GCM not supported .. could be an old version of OpenSSL

Post Reply