we are using openvpn 2.5.x. Our users get a personal certificate via Intune from our internal CA with a special subject and openvpn uses 'cryptoapicert "SUBJ:intune"' to use this certificate. On some clients (all the same current Win10 version) everything works as expected. Some clients do not work (also the same current Win10 version), all with the same error message, see below
Code: Select all
2021-12-09 11:48:47 OpenVPN 2.5.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 17 2021 2021-12-09 11:48:47 Windows version 10.0 (Windows 10 or greater) 64bit 2021-12-09 11:48:47 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10 Enter Management Password: 2021-12-09 11:48:48 TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:12000 2021-12-09 11:48:48 UDP link local (bound): [AF_INET][undef]:1194 2021-12-09 11:48:48 UDP link remote: [AF_INET]a.b.c.d:12000 2021-12-09 11:48:49 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib 2021-12-09 11:48:49 TLS_ERROR: BIO read tls_read_plaintext error 2021-12-09 11:48:49 TLS Error: TLS object -> incoming plaintext read error 2021-12-09 11:48:49 TLS Error: TLS handshake failed 2021-12-09 11:48:49 SIGUSR1[soft,tls-error] received, process restarting
New enrollment of the user certificate on these clients did not help.
We did not find any special configurations on the clients which do not work. And if we append "tls-version-max 1.1" to the configuration all clients are working! But you will not use TLS1.1 these days...
Fresh Win10 autopilot installation via Intune and then automatic certificate enrollment and installation of the "customized" openvpn (which actually is a vanilla installation with 2 *.ovpn files) via company portal => everything works (even with TLS >=1.2). Most of the non working clients are rolled out this way, so something broke in the past!?
Any suggestions/comments are highly appreciated!
Merry XMas and best wishes for 2022!