I have my server running on Raspberry Pi with this config:
Code: Select all
port 1194
proto udp
dev tun
ca ca.crt
pkcs12 server.p12
dh dh2048.pem
topology subnet
push "topology subnet"
mode server
tls-server
ifconfig 192.168.12.1 255.255.255.0
ifconfig-pool 192.168.12.50 192.168.12.100
push "route 192.168.5.0 255.255.255.0"
push "route-gateway 192.168.12.1"
client-to-client
keepalive 10 60
remote-cert-tls client
tls-auth ta.key 0
key-direction 0
cipher AES-256-CBC
auth SHA256
compress lz4-v2
push "compress lz4-v2"
max-clients 10
user nobody
ping-timer-rem
persist-key
persist-tun
push "ping-timer-rem"
push "persist-tun"
push "persist-key"
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
mute 50
explicit-exit-notify 1
Code: Select all
remote vpn.server.com
port 1194
client
dev tun
proto udp
resolv-retry infinite
nobind
ca ca.crt
pkcs12 client.p12
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
status /var/log/openvpn/openvpn.log
log /var/log/openvpn/openvpn.log
verb 3
auth-nocache
askpass pass
On Raspberry Pi I get this error:
Code: Select all
OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.08
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Socket Buffers: R=[163840->163840] S=[163840->163840]
UDP link local: (not bound)
UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=f4abc124 20ef06c0
VERIFY OK: depth=1, C=xx, O=xx, CN=xx
Validating certificate key usage
++ Certificate has key usage 00a8, expects 00a0
++ Certificate has key usage 00a8, expects 0088
VERIFY KU ERROR
OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)
SIGTERM[hard,init_instance] received, process exiting
As I understand, the client is checking if the certificate has the flags 00a0 (KU_DIGITAL_SIGNATURE, KU_KEY_ENCIPHERMENT).
It finds out that the certificate has the flags 00a8 (KU_DIGITAL_SIGNATURE, KU_KEY_ENCIPHERMENT, KU_KEY_AGREEMENT).
But 00a8 contains 00a0? So what's the problem???
Can anyone help me?
Thanks
Best regards,
Pro1712