As I mentioned in the title, I'm trying to set up a simple OpenVPN which is able to use certs and keys from a PKCS#11 device, using our own library.
The point is that the errors I'm getting right now don't seem to be related to the PKCS#11 library itself, besides having no errors in library's log. It works with local cert and key files, however. More details below.
These are the configuration files:
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
tls-server
dh /etc/openvpn/dh2048.pem
#ca /etc/openvpn/ca-chain.cert.pem
ca /tmp/ca.crt
#cert /tmp/ovpn-easy-server.crt
#key /tmp/ovpn-easy-server.key
server 10.8.0.0 255.255.255.0
#keysize 256
pkcs11-providers /usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so
pkcs11-id 'www\x2Egradiant\x2Eorg/API\x201\x2E0/SN00000001/BlackICEConnect/6F76706E2D736572766572'
pkcs11-pin-cache 600
pkcs11-cert-private 1
#cipher AES-256-CBC
cipher AES-256-GCM
keysize 256
#user nobody
#group nogroup
persist-key
persist-tun
log /tmp/ovpn-server.log
status /tmp/ovpn-status.log
verb 4
#verb 11
#verb 3
explicit-exit-notify 1
remote-cert-tls client
#auth none
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
tls-client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
#dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
#dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
#proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
#remote my-server-1 1194
#remote 10.5.0.135 1194
#remote 172.17.0.2 1194
remote ovpn 1194
#remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
#remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
#user nobody
#group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
#;http-proxy-retry # retry on connection failures
#;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
#mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca /etc/openvpn/ca-chain.cert.pem
ca /tmp/ca.crt
#cert client.crt
#key client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
#tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
#cipher AES-256-CBC
cipher AES-256-GCM
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
# Set log file verbosity.
verb 4
# Silence repeating messages
;mute 10
log /tmp/ovpn-client.log
## PKCS#11
pkcs11-providers /usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so
pkcs11-id 'www\x2Egradiant\x2Eorg/API\x201\x2E0/SN00000001/BlackICEConnect/6F76706E2D636C69656E74'
pkcs11-pin-cache 600
pkcs11-cert-private 1
keysize 256
nobind
#auth none
#cert /tmp/ovpn-easy-client.crt
#key /tmp/ovpn-easy-client.key
The error is (as you can see in server's log below) basically that server is not able to verify the authenticity of the client, although both certs are created directly inside PKCS#11 and they're both signed with the same CA.
Code: Select all
Wed Jun 6 08:38:28 2018 us=79220 Current Parameter Settings:
Wed Jun 6 08:38:28 2018 us=79271 config = 'ovpn-server.ovpn'
Wed Jun 6 08:38:28 2018 us=79291 mode = 1
Wed Jun 6 08:38:28 2018 us=79306 persist_config = DISABLED
Wed Jun 6 08:38:28 2018 us=79321 persist_mode = 1
Wed Jun 6 08:38:28 2018 us=79337 show_ciphers = DISABLED
Wed Jun 6 08:38:28 2018 us=79352 show_digests = DISABLED
Wed Jun 6 08:38:28 2018 us=79366 show_engines = DISABLED
Wed Jun 6 08:38:28 2018 us=79380 genkey = DISABLED
Wed Jun 6 08:38:28 2018 us=79395 key_pass_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=79409 show_tls_ciphers = DISABLED
Wed Jun 6 08:38:28 2018 us=79424 connect_retry_max = 0
Wed Jun 6 08:38:28 2018 us=79439 Connection profiles [0]:
Wed Jun 6 08:38:28 2018 us=79454 proto = udp
Wed Jun 6 08:38:28 2018 us=79469 local = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=79483 local_port = '1194'
Wed Jun 6 08:38:28 2018 us=79497 remote = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=79511 remote_port = '1194'
Wed Jun 6 08:38:28 2018 us=79526 remote_float = DISABLED
Wed Jun 6 08:38:28 2018 us=79540 bind_defined = DISABLED
Wed Jun 6 08:38:28 2018 us=79555 bind_local = ENABLED
Wed Jun 6 08:38:28 2018 us=79570 bind_ipv6_only = DISABLED
Wed Jun 6 08:38:28 2018 us=79585 connect_retry_seconds = 5
Wed Jun 6 08:38:28 2018 us=79599 connect_timeout = 120
Wed Jun 6 08:38:28 2018 us=79614 socks_proxy_server = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=79637 socks_proxy_port = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=79652 tun_mtu = 1500
Wed Jun 6 08:38:28 2018 us=79667 tun_mtu_defined = ENABLED
Wed Jun 6 08:38:28 2018 us=79681 link_mtu = 1500
Wed Jun 6 08:38:28 2018 us=79695 link_mtu_defined = DISABLED
Wed Jun 6 08:38:28 2018 us=79710 tun_mtu_extra = 0
Wed Jun 6 08:38:28 2018 us=79724 tun_mtu_extra_defined = DISABLED
Wed Jun 6 08:38:28 2018 us=79739 mtu_discover_type = -1
Wed Jun 6 08:38:28 2018 us=79753 fragment = 0
Wed Jun 6 08:38:28 2018 us=79768 mssfix = 1450
Wed Jun 6 08:38:28 2018 us=79782 explicit_exit_notification = 1
Wed Jun 6 08:38:28 2018 us=79798 Connection profiles END
Wed Jun 6 08:38:28 2018 us=79812 remote_random = DISABLED
Wed Jun 6 08:38:28 2018 us=79826 ipchange = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=79840 dev = 'tun'
Wed Jun 6 08:38:28 2018 us=79854 dev_type = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=79868 dev_node = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=79882 lladdr = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=79897 topology = 1
Wed Jun 6 08:38:28 2018 us=79912 ifconfig_local = '10.8.0.1'
Wed Jun 6 08:38:28 2018 us=79926 ifconfig_remote_netmask = '10.8.0.2'
Wed Jun 6 08:38:28 2018 us=79940 ifconfig_noexec = DISABLED
Wed Jun 6 08:38:28 2018 us=79954 ifconfig_nowarn = DISABLED
Wed Jun 6 08:38:28 2018 us=79968 ifconfig_ipv6_local = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=79983 ifconfig_ipv6_netbits = 0
Wed Jun 6 08:38:28 2018 us=79997 ifconfig_ipv6_remote = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80012 shaper = 0
Wed Jun 6 08:38:28 2018 us=80027 mtu_test = 0
Wed Jun 6 08:38:28 2018 us=80041 mlock = DISABLED
Wed Jun 6 08:38:28 2018 us=80055 keepalive_ping = 0
Wed Jun 6 08:38:28 2018 us=80070 keepalive_timeout = 0
Wed Jun 6 08:38:28 2018 us=80084 inactivity_timeout = 0
Wed Jun 6 08:38:28 2018 us=80099 ping_send_timeout = 0
Wed Jun 6 08:38:28 2018 us=80113 ping_rec_timeout = 0
Wed Jun 6 08:38:28 2018 us=80129 ping_rec_timeout_action = 0
Wed Jun 6 08:38:28 2018 us=80145 ping_timer_remote = DISABLED
Wed Jun 6 08:38:28 2018 us=80170 remap_sigusr1 = 0
Wed Jun 6 08:38:28 2018 us=80190 persist_tun = ENABLED
Wed Jun 6 08:38:28 2018 us=80205 persist_local_ip = DISABLED
Wed Jun 6 08:38:28 2018 us=80219 persist_remote_ip = DISABLED
Wed Jun 6 08:38:28 2018 us=80234 persist_key = ENABLED
Wed Jun 6 08:38:28 2018 us=80249 passtos = DISABLED
Wed Jun 6 08:38:28 2018 us=80264 resolve_retry_seconds = 1000000000
Wed Jun 6 08:38:28 2018 us=80278 resolve_in_advance = DISABLED
Wed Jun 6 08:38:28 2018 us=80292 username = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80315 groupname = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80331 chroot_dir = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80346 cd_dir = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80360 writepid = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80375 up_script = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80389 down_script = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80403 down_pre = DISABLED
Wed Jun 6 08:38:28 2018 us=80417 up_restart = DISABLED
Wed Jun 6 08:38:28 2018 us=80432 up_delay = DISABLED
Wed Jun 6 08:38:28 2018 us=80446 daemon = DISABLED
Wed Jun 6 08:38:28 2018 us=80460 inetd = 0
Wed Jun 6 08:38:28 2018 us=80475 log = ENABLED
Wed Jun 6 08:38:28 2018 us=80488 suppress_timestamps = DISABLED
Wed Jun 6 08:38:28 2018 us=80503 machine_readable_output = DISABLED
Wed Jun 6 08:38:28 2018 us=80519 nice = 0
Wed Jun 6 08:38:28 2018 us=80533 verbosity = 4
Wed Jun 6 08:38:28 2018 us=80548 mute = 0
Wed Jun 6 08:38:28 2018 us=80563 gremlin = 0
Wed Jun 6 08:38:28 2018 us=80581 status_file = '/tmp/ovpn-status.log'
Wed Jun 6 08:38:28 2018 us=80597 status_file_version = 1
Wed Jun 6 08:38:28 2018 us=80611 status_file_update_freq = 60
Wed Jun 6 08:38:28 2018 us=80626 occ = ENABLED
Wed Jun 6 08:38:28 2018 us=80640 rcvbuf = 0
Wed Jun 6 08:38:28 2018 us=80655 sndbuf = 0
Wed Jun 6 08:38:28 2018 us=80670 mark = 0
Wed Jun 6 08:38:28 2018 us=80684 sockflags = 0
Wed Jun 6 08:38:28 2018 us=80697 fast_io = DISABLED
Wed Jun 6 08:38:28 2018 us=80711 comp.alg = 0
Wed Jun 6 08:38:28 2018 us=80726 comp.flags = 0
Wed Jun 6 08:38:28 2018 us=80740 route_script = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80754 route_default_gateway = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80770 route_default_metric = 0
Wed Jun 6 08:38:28 2018 us=80785 route_noexec = DISABLED
Wed Jun 6 08:38:28 2018 us=80800 route_delay = 0
Wed Jun 6 08:38:28 2018 us=80814 route_delay_window = 30
Wed Jun 6 08:38:28 2018 us=80828 route_delay_defined = DISABLED
Wed Jun 6 08:38:28 2018 us=80843 route_nopull = DISABLED
Wed Jun 6 08:38:28 2018 us=80858 route_gateway_via_dhcp = DISABLED
Wed Jun 6 08:38:28 2018 us=80873 allow_pull_fqdn = DISABLED
Wed Jun 6 08:38:28 2018 us=80888 route 10.8.0.0/255.255.255.0/default (not set)/default (not set)
Wed Jun 6 08:38:28 2018 us=80904 management_addr = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80919 management_port = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80933 management_user_pass = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80948 management_log_history_cache = 250
Wed Jun 6 08:38:28 2018 us=80963 management_echo_buffer_size = 100
Wed Jun 6 08:38:28 2018 us=80978 management_write_peer_info_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=80993 management_client_user = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81008 management_client_group = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81023 management_flags = 0
Wed Jun 6 08:38:28 2018 us=81039 shared_secret_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81054 key_direction = 0
Wed Jun 6 08:38:28 2018 us=81069 ciphername = 'AES-256-GCM'
Wed Jun 6 08:38:28 2018 us=81083 ncp_enabled = ENABLED
Wed Jun 6 08:38:28 2018 us=81114 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Wed Jun 6 08:38:28 2018 us=81135 authname = 'SHA1'
Wed Jun 6 08:38:28 2018 us=81151 prng_hash = 'SHA1'
Wed Jun 6 08:38:28 2018 us=81166 prng_nonce_secret_len = 16
Wed Jun 6 08:38:28 2018 us=81181 keysize = 32
Wed Jun 6 08:38:28 2018 us=81196 engine = DISABLED
Wed Jun 6 08:38:28 2018 us=81210 replay = ENABLED
Wed Jun 6 08:38:28 2018 us=81224 mute_replay_warnings = DISABLED
Wed Jun 6 08:38:28 2018 us=81239 replay_window = 64
Wed Jun 6 08:38:28 2018 us=81254 replay_time = 15
Wed Jun 6 08:38:28 2018 us=81268 packet_id_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81284 use_iv = ENABLED
Wed Jun 6 08:38:28 2018 us=81298 test_crypto = DISABLED
Wed Jun 6 08:38:28 2018 us=81313 tls_server = ENABLED
Wed Jun 6 08:38:28 2018 us=81328 tls_client = DISABLED
Wed Jun 6 08:38:28 2018 us=81343 key_method = 2
Wed Jun 6 08:38:28 2018 us=81365 ca_file = '/tmp/ca.crt'
Wed Jun 6 08:38:28 2018 us=81380 ca_path = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81395 dh_file = '/etc/openvpn/dh2048.pem'
Wed Jun 6 08:38:28 2018 us=81410 cert_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81426 extra_certs_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81441 priv_key_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81455 pkcs12_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81470 cipher_list = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81485 tls_verify = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81500 tls_export_cert = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81514 verify_x509_type = 0
Wed Jun 6 08:38:28 2018 us=81529 verify_x509_name = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81544 crl_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81559 ns_cert_type = 0
Wed Jun 6 08:38:28 2018 us=81574 remote_cert_ku[i] = 65535
Wed Jun 6 08:38:28 2018 us=81589 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81604 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81618 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81632 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81648 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81663 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81677 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81691 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81706 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81721 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81735 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81750 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81764 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81779 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81794 remote_cert_ku[i] = 0
Wed Jun 6 08:38:28 2018 us=81809 remote_cert_eku = 'TLS Web Client Authentication'
Wed Jun 6 08:38:28 2018 us=81824 ssl_flags = 0
Wed Jun 6 08:38:28 2018 us=81838 tls_timeout = 2
Wed Jun 6 08:38:28 2018 us=81853 renegotiate_bytes = -1
Wed Jun 6 08:38:28 2018 us=81867 renegotiate_packets = 0
Wed Jun 6 08:38:28 2018 us=81882 renegotiate_seconds = 3600
Wed Jun 6 08:38:28 2018 us=81897 handshake_window = 60
Wed Jun 6 08:38:28 2018 us=81912 transition_window = 3600
Wed Jun 6 08:38:28 2018 us=81926 single_session = DISABLED
Wed Jun 6 08:38:28 2018 us=81941 push_peer_info = DISABLED
Wed Jun 6 08:38:28 2018 us=81955 tls_exit = DISABLED
Wed Jun 6 08:38:28 2018 us=81970 tls_auth_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81984 tls_crypt_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=81999 pkcs11_providers = /usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so
Wed Jun 6 08:38:28 2018 us=82014 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82030 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82044 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82066 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82081 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82096 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82111 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82125 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82140 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82155 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82169 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82183 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82197 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82212 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82226 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82241 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:28 2018 us=82257 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82271 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82292 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82308 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82322 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82337 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82352 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82367 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82381 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82396 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82410 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82424 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82439 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82453 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82467 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82482 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:28 2018 us=82497 pkcs11_cert_private = ENABLED
Wed Jun 6 08:38:28 2018 us=82511 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82525 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82540 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82554 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82569 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82583 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82597 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82612 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82626 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82641 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82655 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82669 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82684 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82698 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82713 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:28 2018 us=82728 pkcs11_pin_cache_period = 600
Wed Jun 6 08:38:28 2018 us=82743 pkcs11_id = 'www\x2Egradiant\x2Eorg/API\x201\x2E0/SN00000001/BlackICEConnect/6F76706E2D736572766572'
Wed Jun 6 08:38:28 2018 us=82758 pkcs11_id_management = DISABLED
Wed Jun 6 08:38:28 2018 us=82775 server_network = 10.8.0.0
Wed Jun 6 08:38:28 2018 us=82803 server_netmask = 255.255.255.0
Wed Jun 6 08:38:28 2018 us=82822 server_network_ipv6 = ::
Wed Jun 6 08:38:28 2018 us=82837 server_netbits_ipv6 = 0
Wed Jun 6 08:38:28 2018 us=82853 server_bridge_ip = 0.0.0.0
Wed Jun 6 08:38:28 2018 us=82869 server_bridge_netmask = 0.0.0.0
Wed Jun 6 08:38:28 2018 us=82885 server_bridge_pool_start = 0.0.0.0
Wed Jun 6 08:38:28 2018 us=82900 server_bridge_pool_end = 0.0.0.0
Wed Jun 6 08:38:28 2018 us=82915 push_entry = 'route 10.8.0.1'
Wed Jun 6 08:38:28 2018 us=82929 push_entry = 'topology net30'
Wed Jun 6 08:38:28 2018 us=82944 ifconfig_pool_defined = ENABLED
Wed Jun 6 08:38:28 2018 us=82959 ifconfig_pool_start = 10.8.0.4
Wed Jun 6 08:38:28 2018 us=82975 ifconfig_pool_end = 10.8.0.251
Wed Jun 6 08:38:28 2018 us=82991 ifconfig_pool_netmask = 0.0.0.0
Wed Jun 6 08:38:28 2018 us=83007 ifconfig_pool_persist_filename = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=83026 ifconfig_pool_persist_refresh_freq = 600
Wed Jun 6 08:38:28 2018 us=83050 ifconfig_ipv6_pool_defined = DISABLED
Wed Jun 6 08:38:28 2018 us=83076 ifconfig_ipv6_pool_base = ::
Wed Jun 6 08:38:28 2018 us=83101 ifconfig_ipv6_pool_netbits = 0
Wed Jun 6 08:38:28 2018 us=83123 n_bcast_buf = 256
Wed Jun 6 08:38:28 2018 us=83139 tcp_queue_limit = 64
Wed Jun 6 08:38:28 2018 us=83154 real_hash_size = 256
Wed Jun 6 08:38:28 2018 us=83168 virtual_hash_size = 256
Wed Jun 6 08:38:28 2018 us=83183 client_connect_script = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=83197 learn_address_script = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=83212 client_disconnect_script = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=83226 client_config_dir = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=83241 ccd_exclusive = DISABLED
Wed Jun 6 08:38:28 2018 us=83266 tmp_dir = '/tmp'
Wed Jun 6 08:38:28 2018 us=83292 push_ifconfig_defined = DISABLED
Wed Jun 6 08:38:28 2018 us=83318 push_ifconfig_local = 0.0.0.0
Wed Jun 6 08:38:28 2018 us=83344 push_ifconfig_remote_netmask = 0.0.0.0
Wed Jun 6 08:38:28 2018 us=83372 push_ifconfig_ipv6_defined = DISABLED
Wed Jun 6 08:38:28 2018 us=83390 push_ifconfig_ipv6_local = ::/0
Wed Jun 6 08:38:28 2018 us=83405 push_ifconfig_ipv6_remote = ::
Wed Jun 6 08:38:28 2018 us=83419 enable_c2c = DISABLED
Wed Jun 6 08:38:28 2018 us=83435 duplicate_cn = DISABLED
Wed Jun 6 08:38:28 2018 us=83450 cf_max = 0
Wed Jun 6 08:38:28 2018 us=83465 cf_per = 0
Wed Jun 6 08:38:28 2018 us=83480 max_clients = 1024
Wed Jun 6 08:38:28 2018 us=83495 max_routes_per_client = 256
Wed Jun 6 08:38:28 2018 us=83518 auth_user_pass_verify_script = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=83543 auth_user_pass_verify_script_via_file = DISABLED
Wed Jun 6 08:38:28 2018 us=83568 auth_token_generate = DISABLED
Wed Jun 6 08:38:28 2018 us=83594 auth_token_lifetime = 0
Wed Jun 6 08:38:28 2018 us=83619 port_share_host = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=83643 port_share_port = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=83669 client = DISABLED
Wed Jun 6 08:38:28 2018 us=83695 pull = DISABLED
Wed Jun 6 08:38:28 2018 us=83720 auth_user_pass_file = '[UNDEF]'
Wed Jun 6 08:38:28 2018 us=83747 OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 3 2017
Wed Jun 6 08:38:28 2018 us=83783 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Wed Jun 6 08:38:28 2018 us=83981 PKCS#11: Adding PKCS#11 provider '/usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so'
Wed Jun 6 08:38:28 2018 us=86182 WARNING: --keepalive option is missing from server config
Wed Jun 6 08:38:28 2018 us=86458 Diffie-Hellman initialized with 2048 bit key
Wed Jun 6 08:38:31 2018 us=432045 TLS-Auth MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Jun 6 08:38:31 2018 us=432295 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
Wed Jun 6 08:38:31 2018 us=432647 TUN/TAP device tun0 opened
Wed Jun 6 08:38:31 2018 us=432679 TUN/TAP TX queue length set to 100
Wed Jun 6 08:38:31 2018 us=432705 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 6 08:38:31 2018 us=432731 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun 6 08:38:31 2018 us=434765 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun 6 08:38:31 2018 us=436485 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Jun 6 08:38:31 2018 us=438049 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Jun 6 08:38:31 2018 us=438087 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jun 6 08:38:31 2018 us=438113 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun 6 08:38:31 2018 us=438135 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jun 6 08:38:31 2018 us=438150 UDPv4 link remote: [AF_UNSPEC]
Wed Jun 6 08:38:31 2018 us=438172 MULTI: multi_init called, r=256 v=256
Wed Jun 6 08:38:31 2018 us=438204 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Jun 6 08:38:31 2018 us=438237 Initialization Sequence Completed
Wed Jun 6 08:38:38 2018 us=875825 MULTI: multi_create_instance called
Wed Jun 6 08:38:38 2018 us=875882 172.17.0.2:56742 Re-using SSL/TLS context
Wed Jun 6 08:38:38 2018 us=876005 172.17.0.2:56742 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Jun 6 08:38:38 2018 us=876028 172.17.0.2:56742 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Jun 6 08:38:38 2018 us=876073 172.17.0.2:56742 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Wed Jun 6 08:38:38 2018 us=876089 172.17.0.2:56742 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Wed Jun 6 08:38:38 2018 us=876130 172.17.0.2:56742 TLS: Initial packet from [AF_INET]172.17.0.2:56742, sid=aca2dcb6 36b3f1ef
Wed Jun 6 08:38:42 2018 us=185619 172.17.0.2:56742 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jun 6 08:38:42 2018 us=185699 172.17.0.2:56742 VERIFY ERROR: depth=0, error=certificate signature failure: C=ES, ST=Galicia, L=Vigo, O=Gradiant, OU=Grd Security, CN=ovpn-client, emailAddress=jjimenez@gradiant.org
Wed Jun 6 08:38:42 2018 us=185767 172.17.0.2:56742 OpenSSL: error:14089086:lib(20):func(137):reason(134)
Wed Jun 6 08:38:42 2018 us=185788 172.17.0.2:56742 TLS_ERROR: BIO read tls_read_plaintext error
Wed Jun 6 08:38:42 2018 us=185811 172.17.0.2:56742 TLS Error: TLS object -> incoming plaintext read error
Wed Jun 6 08:38:42 2018 us=185827 172.17.0.2:56742 TLS Error: TLS handshake failed
Wed Jun 6 08:38:42 2018 us=185904 172.17.0.2:56742 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Jun 6 08:38:46 2018 us=616313 event_wait : Interrupted system call (code=4)
Wed Jun 6 08:38:48 2018 us=618557 TCP/UDP: Closing socket
Wed Jun 6 08:38:48 2018 us=618673 /sbin/ip route del 10.8.0.0/24
Wed Jun 6 08:38:48 2018 us=620590 Closing TUN/TAP interface
Wed Jun 6 08:38:48 2018 us=620665 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun 6 08:38:48 2018 us=645444 SIGINT[hard,] received, process exiting
Code: Select all
Wed Jun 6 08:38:34 2018 us=887035 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Wed Jun 6 08:38:34 2018 us=887111 Current Parameter Settings:
Wed Jun 6 08:38:34 2018 us=887132 config = 'ovpn-client.ovpn'
Wed Jun 6 08:38:34 2018 us=887156 mode = 0
Wed Jun 6 08:38:34 2018 us=887173 persist_config = DISABLED
Wed Jun 6 08:38:34 2018 us=887188 persist_mode = 1
Wed Jun 6 08:38:34 2018 us=887201 show_ciphers = DISABLED
Wed Jun 6 08:38:34 2018 us=887215 show_digests = DISABLED
Wed Jun 6 08:38:34 2018 us=887228 show_engines = DISABLED
Wed Jun 6 08:38:34 2018 us=887241 genkey = DISABLED
Wed Jun 6 08:38:34 2018 us=887254 key_pass_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887268 show_tls_ciphers = DISABLED
Wed Jun 6 08:38:34 2018 us=887282 connect_retry_max = 0
Wed Jun 6 08:38:34 2018 us=887295 Connection profiles [0]:
Wed Jun 6 08:38:34 2018 us=887309 proto = udp
Wed Jun 6 08:38:34 2018 us=887322 local = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887335 local_port = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887349 remote = 'ovpn'
Wed Jun 6 08:38:34 2018 us=887363 remote_port = '1194'
Wed Jun 6 08:38:34 2018 us=887376 remote_float = DISABLED
Wed Jun 6 08:38:34 2018 us=887389 bind_defined = DISABLED
Wed Jun 6 08:38:34 2018 us=887403 bind_local = DISABLED
Wed Jun 6 08:38:34 2018 us=887416 bind_ipv6_only = DISABLED
Wed Jun 6 08:38:34 2018 us=887429 connect_retry_seconds = 5
Wed Jun 6 08:38:34 2018 us=887442 connect_timeout = 120
Wed Jun 6 08:38:34 2018 us=887456 socks_proxy_server = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887469 socks_proxy_port = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887482 tun_mtu = 1500
Wed Jun 6 08:38:34 2018 us=887496 tun_mtu_defined = ENABLED
Wed Jun 6 08:38:34 2018 us=887509 link_mtu = 1500
Wed Jun 6 08:38:34 2018 us=887522 link_mtu_defined = DISABLED
Wed Jun 6 08:38:34 2018 us=887535 tun_mtu_extra = 0
Wed Jun 6 08:38:34 2018 us=887551 tun_mtu_extra_defined = DISABLED
Wed Jun 6 08:38:34 2018 us=887574 mtu_discover_type = -1
Wed Jun 6 08:38:34 2018 us=887595 fragment = 0
Wed Jun 6 08:38:34 2018 us=887618 mssfix = 1450
Wed Jun 6 08:38:34 2018 us=887636 explicit_exit_notification = 0
Wed Jun 6 08:38:34 2018 us=887650 Connection profiles END
Wed Jun 6 08:38:34 2018 us=887663 remote_random = DISABLED
Wed Jun 6 08:38:34 2018 us=887677 ipchange = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887691 dev = 'tun'
Wed Jun 6 08:38:34 2018 us=887713 dev_type = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887729 dev_node = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887744 lladdr = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887764 topology = 1
Wed Jun 6 08:38:34 2018 us=887783 ifconfig_local = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887797 ifconfig_remote_netmask = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887810 ifconfig_noexec = DISABLED
Wed Jun 6 08:38:34 2018 us=887824 ifconfig_nowarn = DISABLED
Wed Jun 6 08:38:34 2018 us=887837 ifconfig_ipv6_local = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887850 ifconfig_ipv6_netbits = 0
Wed Jun 6 08:38:34 2018 us=887864 ifconfig_ipv6_remote = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=887878 shaper = 0
Wed Jun 6 08:38:34 2018 us=887892 mtu_test = 0
Wed Jun 6 08:38:34 2018 us=887905 mlock = DISABLED
Wed Jun 6 08:38:34 2018 us=887919 keepalive_ping = 0
Wed Jun 6 08:38:34 2018 us=887932 keepalive_timeout = 0
Wed Jun 6 08:38:34 2018 us=887946 inactivity_timeout = 0
Wed Jun 6 08:38:34 2018 us=887960 ping_send_timeout = 0
Wed Jun 6 08:38:34 2018 us=887973 ping_rec_timeout = 0
Wed Jun 6 08:38:34 2018 us=887988 ping_rec_timeout_action = 0
Wed Jun 6 08:38:34 2018 us=888002 ping_timer_remote = DISABLED
Wed Jun 6 08:38:34 2018 us=888016 remap_sigusr1 = 0
Wed Jun 6 08:38:34 2018 us=888030 persist_tun = ENABLED
Wed Jun 6 08:38:34 2018 us=888043 persist_local_ip = DISABLED
Wed Jun 6 08:38:34 2018 us=888057 persist_remote_ip = DISABLED
Wed Jun 6 08:38:34 2018 us=888070 persist_key = ENABLED
Wed Jun 6 08:38:34 2018 us=888083 passtos = DISABLED
Wed Jun 6 08:38:34 2018 us=888107 resolve_retry_seconds = 1000000000
Wed Jun 6 08:38:34 2018 us=888122 resolve_in_advance = DISABLED
Wed Jun 6 08:38:34 2018 us=888135 username = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888149 groupname = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888162 chroot_dir = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888175 cd_dir = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888188 writepid = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888201 up_script = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888215 down_script = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888228 down_pre = DISABLED
Wed Jun 6 08:38:34 2018 us=888241 up_restart = DISABLED
Wed Jun 6 08:38:34 2018 us=888254 up_delay = DISABLED
Wed Jun 6 08:38:34 2018 us=888266 daemon = DISABLED
Wed Jun 6 08:38:34 2018 us=888280 inetd = 0
Wed Jun 6 08:38:34 2018 us=888294 log = ENABLED
Wed Jun 6 08:38:34 2018 us=888308 suppress_timestamps = DISABLED
Wed Jun 6 08:38:34 2018 us=888321 machine_readable_output = DISABLED
Wed Jun 6 08:38:34 2018 us=888335 nice = 0
Wed Jun 6 08:38:34 2018 us=888348 verbosity = 4
Wed Jun 6 08:38:34 2018 us=888361 mute = 0
Wed Jun 6 08:38:34 2018 us=888375 gremlin = 0
Wed Jun 6 08:38:34 2018 us=888388 status_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888401 status_file_version = 1
Wed Jun 6 08:38:34 2018 us=888414 status_file_update_freq = 60
Wed Jun 6 08:38:34 2018 us=888427 occ = ENABLED
Wed Jun 6 08:38:34 2018 us=888441 rcvbuf = 0
Wed Jun 6 08:38:34 2018 us=888454 sndbuf = 0
Wed Jun 6 08:38:34 2018 us=888467 mark = 0
Wed Jun 6 08:38:34 2018 us=888480 sockflags = 0
Wed Jun 6 08:38:34 2018 us=888493 fast_io = DISABLED
Wed Jun 6 08:38:34 2018 us=888507 comp.alg = 0
Wed Jun 6 08:38:34 2018 us=888520 comp.flags = 0
Wed Jun 6 08:38:34 2018 us=888533 route_script = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888547 route_default_gateway = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888560 route_default_metric = 0
Wed Jun 6 08:38:34 2018 us=888577 route_noexec = DISABLED
Wed Jun 6 08:38:34 2018 us=888592 route_delay = 0
Wed Jun 6 08:38:34 2018 us=888607 route_delay_window = 30
Wed Jun 6 08:38:34 2018 us=888620 route_delay_defined = DISABLED
Wed Jun 6 08:38:34 2018 us=888634 route_nopull = DISABLED
Wed Jun 6 08:38:34 2018 us=888647 route_gateway_via_dhcp = DISABLED
Wed Jun 6 08:38:34 2018 us=888660 allow_pull_fqdn = DISABLED
Wed Jun 6 08:38:34 2018 us=888674 management_addr = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888688 management_port = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888702 management_user_pass = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888716 management_log_history_cache = 250
Wed Jun 6 08:38:34 2018 us=888730 management_echo_buffer_size = 100
Wed Jun 6 08:38:34 2018 us=888744 management_write_peer_info_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888757 management_client_user = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888771 management_client_group = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888786 management_flags = 0
Wed Jun 6 08:38:34 2018 us=888799 shared_secret_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=888813 key_direction = 0
Wed Jun 6 08:38:34 2018 us=888827 ciphername = 'AES-256-GCM'
Wed Jun 6 08:38:34 2018 us=888841 ncp_enabled = DISABLED
Wed Jun 6 08:38:34 2018 us=888855 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Wed Jun 6 08:38:34 2018 us=888869 authname = 'SHA1'
Wed Jun 6 08:38:34 2018 us=888883 prng_hash = 'SHA1'
Wed Jun 6 08:38:34 2018 us=888897 prng_nonce_secret_len = 16
Wed Jun 6 08:38:34 2018 us=888910 keysize = 32
Wed Jun 6 08:38:34 2018 us=888924 engine = DISABLED
Wed Jun 6 08:38:34 2018 us=888938 replay = ENABLED
Wed Jun 6 08:38:34 2018 us=888953 mute_replay_warnings = DISABLED
Wed Jun 6 08:38:34 2018 us=888966 replay_window = 64
Wed Jun 6 08:38:34 2018 us=888981 replay_time = 15
Wed Jun 6 08:38:34 2018 us=888994 packet_id_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889008 use_iv = ENABLED
Wed Jun 6 08:38:34 2018 us=889022 test_crypto = DISABLED
Wed Jun 6 08:38:34 2018 us=889036 tls_server = DISABLED
Wed Jun 6 08:38:34 2018 us=889064 tls_client = ENABLED
Wed Jun 6 08:38:34 2018 us=889091 key_method = 2
Wed Jun 6 08:38:34 2018 us=889128 ca_file = '/tmp/ca.crt'
Wed Jun 6 08:38:34 2018 us=889151 ca_path = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889173 dh_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889191 cert_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889205 extra_certs_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889219 priv_key_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889233 pkcs12_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889247 cipher_list = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889260 tls_verify = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889274 tls_export_cert = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889287 verify_x509_type = 0
Wed Jun 6 08:38:34 2018 us=889301 verify_x509_name = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889315 crl_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889328 ns_cert_type = 0
Wed Jun 6 08:38:34 2018 us=889343 remote_cert_ku[i] = 65535
Wed Jun 6 08:38:34 2018 us=889357 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889370 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889384 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889398 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889411 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889425 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889438 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889452 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889466 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889480 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889493 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889506 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889520 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889533 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889547 remote_cert_ku[i] = 0
Wed Jun 6 08:38:34 2018 us=889561 remote_cert_eku = 'TLS Web Server Authentication'
Wed Jun 6 08:38:34 2018 us=889575 ssl_flags = 0
Wed Jun 6 08:38:34 2018 us=889589 tls_timeout = 2
Wed Jun 6 08:38:34 2018 us=889602 renegotiate_bytes = -1
Wed Jun 6 08:38:34 2018 us=889615 renegotiate_packets = 0
Wed Jun 6 08:38:34 2018 us=889629 renegotiate_seconds = 3600
Wed Jun 6 08:38:34 2018 us=889643 handshake_window = 60
Wed Jun 6 08:38:34 2018 us=889656 transition_window = 3600
Wed Jun 6 08:38:34 2018 us=889670 single_session = DISABLED
Wed Jun 6 08:38:34 2018 us=889684 push_peer_info = DISABLED
Wed Jun 6 08:38:34 2018 us=889697 tls_exit = DISABLED
Wed Jun 6 08:38:34 2018 us=889711 tls_auth_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889724 tls_crypt_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=889738 pkcs11_providers = /usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so
Wed Jun 6 08:38:34 2018 us=889752 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889773 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889793 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889807 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889820 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889833 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889847 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889861 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889875 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889888 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889902 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889915 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889928 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889942 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889955 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889968 pkcs11_protected_authentication = DISABLED
Wed Jun 6 08:38:34 2018 us=889990 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890005 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890020 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890033 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890047 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890060 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890074 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890087 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890100 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890115 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890128 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890142 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890155 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890168 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890182 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890196 pkcs11_private_mode = 00000000
Wed Jun 6 08:38:34 2018 us=890210 pkcs11_cert_private = ENABLED
Wed Jun 6 08:38:34 2018 us=890223 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890237 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890251 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890264 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890277 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890290 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890303 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890317 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890331 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890344 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890358 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890371 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890384 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890398 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890411 pkcs11_cert_private = DISABLED
Wed Jun 6 08:38:34 2018 us=890425 pkcs11_pin_cache_period = 600
Wed Jun 6 08:38:34 2018 us=890439 pkcs11_id = 'www\x2Egradiant\x2Eorg/API\x201\x2E0/SN00000001/BlackICEConnect/6F76706E2D636C69656E74'
Wed Jun 6 08:38:34 2018 us=890452 pkcs11_id_management = DISABLED
Wed Jun 6 08:38:34 2018 us=890467 server_network = 0.0.0.0
Wed Jun 6 08:38:34 2018 us=890482 server_netmask = 0.0.0.0
Wed Jun 6 08:38:34 2018 us=890505 server_network_ipv6 = ::
Wed Jun 6 08:38:34 2018 us=890520 server_netbits_ipv6 = 0
Wed Jun 6 08:38:34 2018 us=890535 server_bridge_ip = 0.0.0.0
Wed Jun 6 08:38:34 2018 us=890550 server_bridge_netmask = 0.0.0.0
Wed Jun 6 08:38:34 2018 us=890565 server_bridge_pool_start = 0.0.0.0
Wed Jun 6 08:38:34 2018 us=890580 server_bridge_pool_end = 0.0.0.0
Wed Jun 6 08:38:34 2018 us=890594 ifconfig_pool_defined = DISABLED
Wed Jun 6 08:38:34 2018 us=890608 ifconfig_pool_start = 0.0.0.0
Wed Jun 6 08:38:34 2018 us=890622 ifconfig_pool_end = 0.0.0.0
Wed Jun 6 08:38:34 2018 us=890637 ifconfig_pool_netmask = 0.0.0.0
Wed Jun 6 08:38:34 2018 us=890651 ifconfig_pool_persist_filename = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=890664 ifconfig_pool_persist_refresh_freq = 600
Wed Jun 6 08:38:34 2018 us=890678 ifconfig_ipv6_pool_defined = DISABLED
Wed Jun 6 08:38:34 2018 us=890692 ifconfig_ipv6_pool_base = ::
Wed Jun 6 08:38:34 2018 us=890706 ifconfig_ipv6_pool_netbits = 0
Wed Jun 6 08:38:34 2018 us=890720 n_bcast_buf = 256
Wed Jun 6 08:38:34 2018 us=890735 tcp_queue_limit = 64
Wed Jun 6 08:38:34 2018 us=890748 real_hash_size = 256
Wed Jun 6 08:38:34 2018 us=890762 virtual_hash_size = 256
Wed Jun 6 08:38:34 2018 us=890775 client_connect_script = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=890789 learn_address_script = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=890802 client_disconnect_script = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=890821 client_config_dir = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=890836 ccd_exclusive = DISABLED
Wed Jun 6 08:38:34 2018 us=890849 tmp_dir = '/tmp'
Wed Jun 6 08:38:34 2018 us=890863 push_ifconfig_defined = DISABLED
Wed Jun 6 08:38:34 2018 us=890877 push_ifconfig_local = 0.0.0.0
Wed Jun 6 08:38:34 2018 us=890891 push_ifconfig_remote_netmask = 0.0.0.0
Wed Jun 6 08:38:34 2018 us=890905 push_ifconfig_ipv6_defined = DISABLED
Wed Jun 6 08:38:34 2018 us=890920 push_ifconfig_ipv6_local = ::/0
Wed Jun 6 08:38:34 2018 us=890935 push_ifconfig_ipv6_remote = ::
Wed Jun 6 08:38:34 2018 us=890948 enable_c2c = DISABLED
Wed Jun 6 08:38:34 2018 us=890962 duplicate_cn = DISABLED
Wed Jun 6 08:38:34 2018 us=890975 cf_max = 0
Wed Jun 6 08:38:34 2018 us=890989 cf_per = 0
Wed Jun 6 08:38:34 2018 us=891003 max_clients = 1024
Wed Jun 6 08:38:34 2018 us=891017 max_routes_per_client = 256
Wed Jun 6 08:38:34 2018 us=891031 auth_user_pass_verify_script = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=891044 auth_user_pass_verify_script_via_file = DISABLED
Wed Jun 6 08:38:34 2018 us=891057 auth_token_generate = DISABLED
Wed Jun 6 08:38:34 2018 us=891070 auth_token_lifetime = 0
Wed Jun 6 08:38:34 2018 us=891084 port_share_host = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=891097 port_share_port = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=891110 client = DISABLED
Wed Jun 6 08:38:34 2018 us=891124 pull = DISABLED
Wed Jun 6 08:38:34 2018 us=891137 auth_user_pass_file = '[UNDEF]'
Wed Jun 6 08:38:34 2018 us=891152 OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 3 2017
Wed Jun 6 08:38:34 2018 us=891174 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Wed Jun 6 08:38:34 2018 us=891320 PKCS#11: Adding PKCS#11 provider '/usr/lib/pkcs11/GradiantBlackICEConnect_release_x64.so'
Wed Jun 6 08:38:38 2018 us=874871 Control Channel MTU parms [ L:1549 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Jun 6 08:38:38 2018 us=875289 TUN/TAP device tun0 opened
Wed Jun 6 08:38:38 2018 us=875330 TUN/TAP TX queue length set to 100
Wed Jun 6 08:38:38 2018 us=875379 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:394 ET:0 EL:3 ]
Wed Jun 6 08:38:38 2018 us=875409 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Wed Jun 6 08:38:38 2018 us=875425 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Wed Jun 6 08:38:38 2018 us=875445 TCP/UDP: Preserving recently used remote address: [AF_INET]172.17.0.3:1194
Wed Jun 6 08:38:38 2018 us=875473 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun 6 08:38:38 2018 us=875489 UDP link local: (not bound)
Wed Jun 6 08:38:38 2018 us=875506 UDP link remote: [AF_INET]172.17.0.3:1194
Wed Jun 6 08:38:38 2018 us=876286 TLS: Initial packet from [AF_INET]172.17.0.3:1194, sid=d3bc0100 390a1109
Wed Jun 6 08:38:40 2018 us=586195 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jun 6 08:38:40 2018 us=586524 VERIFY KU OK
Wed Jun 6 08:38:40 2018 us=586551 Validating certificate extended key usage
Wed Jun 6 08:38:40 2018 us=586569 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jun 6 08:38:40 2018 us=586584 VERIFY EKU OK
Wed Jun 6 08:38:40 2018 us=586599 VERIFY OK: depth=0, C=ES, ST=Galicia, L=Vigo, O=Gradiant, OU=Grd Security, CN=ovpn-server, emailAddress=jjimenez@gradiant.org
Wed Jun 6 08:38:48 2018 us=880696 event_wait : Interrupted system call (code=4)
Wed Jun 6 08:38:48 2018 us=880982 TCP/UDP: Closing socket
Wed Jun 6 08:38:48 2018 us=881049 Closing TUN/TAP interface
Wed Jun 6 08:38:48 2018 us=901207 SIGINT[hard,] received, process exiting
Code: Select all
$ openvpn --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN. Each cipher shown below may be use as a
parameter to the --cipher option. The default key size is
shown as well as whether or not it can be changed with the
--keysize directive. Using a CBC or GCM mode is recommended.
In static key mode only CBC mode is allowed.
AES-128-CBC (128 bit key, 128 bit block)
AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC (192 bit key, 128 bit block)
AES-192-CFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC (256 bit key, 128 bit block)
AES-256-CFB (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CBC (128 bit key, 128 bit block)
CAMELLIA-128-CFB (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-OFB (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CBC (192 bit key, 128 bit block)
CAMELLIA-192-CFB (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB1 (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB8 (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-OFB (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CBC (256 bit key, 128 bit block)
CAMELLIA-256-CFB (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB1 (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB8 (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-OFB (256 bit key, 128 bit block, TLS client/server mode only)
SEED-CBC (128 bit key, 128 bit block)
SEED-CFB (128 bit key, 128 bit block, TLS client/server mode only)
SEED-OFB (128 bit key, 128 bit block, TLS client/server mode only)
The following ciphers have a block size of less than 128 bits,
and are therefore deprecated. Do not use unless you have to.
BF-CBC (128 bit key by default, 64 bit block)
BF-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC (128 bit key by default, 64 bit block)
CAST5-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC (64 bit key, 64 bit block)
DES-CFB (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1 (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8 (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC (128 bit key, 64 bit block)
DES-EDE-CFB (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC (192 bit key, 64 bit block)
DES-EDE3-CFB (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1 (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8 (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC (192 bit key, 64 bit block)
RC2-40-CBC (40 bit key by default, 64 bit block)
RC2-64-CBC (64 bit key by default, 64 bit block)
RC2-CBC (128 bit key by default, 64 bit block)
RC2-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
At first, from error message it looks like server can't decrypt. However, server shows that in clear:
Code: Select all
C=ES, ST=Galicia, L=Vigo, O=Gradiant, OU=Grd Security, CN=ovpn-client, emailAddress=jjimenez@gradiant.org
I've already tried:
- Both a custom CA with a root-intermediate CA structure, which fails at Intermediate's CA level of depth (same error as above), and EasyRSA3.0 as well, which is the case showed above.
- Getting completely rid of PKCS#11, building full server and client with EasyRSA. This worked, although, as I mentioned, there's absolutely no error in PKCS#11's log apart from CKR_ALREADY_INITIALIZED (which souldn't be a problem), it then calls C_SignInit and C_Sign and return CKR_OK.
- Regenerating certs. I made sure client has EKU TLS Web client authentication (1.3.6.1.5.5.7.3.2) and server has TLS Web server authentication (1.3.6.1.5.5.7.3.1), which are the ones used in EasyRSA generated certs.
Thanks in advance.