Failed to connect OpenVPN from Android client

[jijojoyk]

We use a custom built CA to issue certificates, which is built on Python’s `cryptography` module. The certs generated by the CA works everywhere except on Android and iOS client. It works from other third party clients on mobile and from Tunnelbear on Mac and Linux native openvpn clients. The issue is only from OpenVPN Connect app on iOS and Android. I tried downgrading the mobile app from 3.0.* version to 1.2.* but that did not help.

I imported client configs as ovpn file with inline certificates and it follows just certificate authentication, no user/pass authentication. The same file was imported on other platforms where it worked well.

Below is the error reported in logs:

===========================
15:39:15.321 -- EVENT: CONNECTING

15:39:15.324 -- Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client

15:39:15.325 -- Creds: UsernameEmpty/PasswordEmpty

15:39:15.326 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_IPv6=0
IV_AUTO_SESS=1
IV_BS64DL=1


15:39:15.741 -- VERIFY OK : depth=1
cert. version : 3
serial number : 3B:C1:DD:92:E0:B5:02
issuer name : O=XXXXX, OU=VPN Server, CN=Jj20181022-CA
subject name : O=XXXX, OU=VPN Server, CN=Jj20181022-CA
issued on : 2018-10-21 06:18:31
expires on : 2048-10-14 06:18:31
signed using : RSA with SHA-256
RSA key size : 4096 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign


15:39:15.743 -- VERIFY OK : depth=0
cert. version : 3
serial number : E9:6D:49:85:BD:C4:8F:52
issuer name : O=XXXXX, OU=VPN Server, CN=Jj20181022-CA
subject name : O=XXXXX, OU=VPN Server, CN=JJ20181022.xxxxxxx.com
issued on : 2018-10-21 06:19:26
expires on : 2021-10-21 06:19:26
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : JJ20181022.xxxxxxx.com
key usage : Non Repudiation, Key Encipherment, Key Agreement
ext key usage : TLS Web Server Authentication


15:39:15.744 -- Client exception in transport_recv_excode: mbed TLS: SSL read error : SSL - Processing of the Certificate handshake message failed


Please help.. thanks in advance.

[TinCanTech]

We use a custom built CA to issue certificates,

Custom built how ?

which is built on Python’s `cryptography` module.

Which Python ?

[jijojoyk]

Yes, we use Python3 and the python module 'cryptography' to issue certificates.

Here's one of the client certificate details.

===============
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 600574 (0x929fe)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=XXXXXX, OU=VPN Server, CN=Jj20181022-CA
Validity
Not Before: Nov 6 09:14:52 2018 GMT
Not After : Dec 7 09:14:52 2018 GMT
Subject: O=UserXXXXX, OU=VPN Server, CN=test_user7_ovpn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:f6:60:6a:f3:9c:1d:eb:83:37:1e:6d:db:52:
1d:ac:3e:01:7d:a7:1e:a2:11:4d:23:2a:f7:66:c1:
75:8e:d5:6f:6d:6b:30:c8:9b:92:9f:c6:bb:01:f9:
3f:1c:da:96:aa:99:8d:45:f5:f9:22:dd:27:c7:c7:
46:50:44:64:54:37:cc:1c:22:b7:0b:5a:25:6e:7f:
49:95:f3:dd:12:8c:ea:73:47:3e:be:0b:d7:96:63:
cb:c9:cf:0b:78:a3:08:38:0a:e9:b0:57:50:81:ac:
b3:d8:e5:1e:45:ca:68:ed:0e:8a:35:1e:8a:58:99:
2e:16:54:42:68:eb:b0:f4:72:38:9f:2b:c2:70:fd:
94:e6:ee:6e:9e:28:c0:6a:d9:8b:7f:0a:6a:b5:39:
cc:ae:3e:63:8b:16:3c:cb:18:bd:0c:9c:45:25:47:
6f:07:21:5c:0e:93:20:83:90:5c:0b:97:a4:54:1c:
1a:2f:52:d0:f6:72:92:f2:be:b3:b1:32:bc:04:f4:
f1:b9:d1:09:9b:fa:f9:c1:2a:1f:72:bd:07:0d:69:
30:4e:cc:49:20:99:c1:49:dd:7d:15:bf:91:a0:52:
bb:62:94:30:68:91:f3:f5:ae:46:1d:7b:90:bd:52:
60:85:fb:be:0b:39:f3:d8:ae:e6:14:aa:cf:87:b7:
6b:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Non Repudiation, Key Encipherment, Key Agreement
X509v3 Authority Key Identifier:
keyid:91:FA:85:65:37:34:E2:26:D1:E4:0F:26:18:AD:00:82:44:36:9B:CD

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
email:userxxxxx@gmail.com
Signature Algorithm: sha256WithRSAEncryption
9b:82:70:dd:b3:5c:8d:3f:7a:00:c5:0a:26:da:8d:92:f7:8f:
a7:82:99:31:27:c2:e3:f3:86:f0:bf:a5:a1:fa:0a:a7:ea:d7:
78:95:f8:e3:9f:48:e6:78:a2:e8:75:51:59:f3:0a:a6:4c:7b:
b0:d4:43:95:fa:36:bb:b1:47:3a:f7:32:25:a1:4f:c5:e9:60:
66d5:99:7a:a3:ec:c6:cc:5a:ae:b3:d6:58:1e:d7:b7:f4:
58:38:25:12:60:c5:8d:f2:2b:7f:08:14:65:d0:2a:2c:c6:17:
75:db:c9:66:70:24:15:5f:4b:1b:74:93:aa:df:8b:4d:7f:43:
51:a3:f5:da:68:e8:5b:a5:b9:52:cb25:33:2d:90:42:8a:
48:98:5e:0b:9f:da:6a:ea:ca:fb:d7:8a:c2:f3:0f:e3:b1:25:
e5:cb:71d0:b7:d1:0a:5c:01:90:b1:08:c7:98:71:49:1f:
df:60:c4:26:4b:eb:40:ad:fc:9e:bb:09:d7:ae:b4:b9:81:e2:
b7:be:db:55:e4:15:26e1:03:7d:f1:3b:26:6c:7a:3d:1c:
59:f9:c9:b3:65:ac:45:ed:3d:9c:75:fb:d0:0b:01:41:d5:1d:
1e:97:e2:d6:57:4c:93:c6:89:d5:f5:63:ec:28:05:1a:7b:0e:
5e:a4:3e:1a:ee:c7:12:7c:1e:ec:92:9dcf:a4:68:3d:50:
23:c9:f0:ba:b8:1b:8c:aa:7a:64:79:20:e8:6c:9f:53:f3:89:
15:3a:d1:15:30:ec:89:f0:ca:d0:94:00:94:34:68:fd:0f:57:
8a:27:3b:ae:45:2b:e8:a6:05:8f:07:d8:b1:4b:c5:12:b4:93:
80:3b:89:ea:01:91:9c:31:34:04:54:3d:e4:88:c7:93:d3:d5:
3d9d:21:c0:ff:ba:8c:72:48:18:d8:70:f9:59:1f:64:02:
5d:3a:77:75:ac:e9:b2:25:d3:c3:28:03:e8:60:fe:80:49:53:
4c:4c:d9:61:38:7f:b4:14:23:25:8c:18:d5:8f:8c:b4:eb:2c:
8a:52:0b:dd:e0:3d:52:8f:0f:52:c4:dd:e1:69:25:5e:ac:10:
2c:3a:4c:9b:7f:52:9c:20:e5:62:02:6d:26:ee:c3:42:c8:f7:
65:bb:e1:1b:35:aa:62:98:1f:aa:e5:30:37:a4:67:f1:c7:22:
49:fb:69:16:ba:46:0f:c6:38:67:d1:22:ad:5f:7b:70:a3:44:
61:c5:d9:1d:8a:bd:19:98:73:50:a7:7a:48:f2:96:e5:06:92:
4c:34:d6:15:bc:21:ba:85:da:d9:6e:41:a0:53:f1:38:09:38:
56:4d:3e:4e:ec:e6:e4:e6
============================

[TinCanTech]

viewtopic.php?f=30&t=22603

[jijojoyk]

Logs with verb 5 shows only this on server

==============
Nov 8 01:33:15 2018 us=598342 MULTI: multi_create_instance called
Thu Nov 8 01:33:15 2018 us=598440 223.228.159.43:27421 Re-using SSL/TLS context
Thu Nov 8 01:33:15 2018 us=598543 223.228.159.43:27421 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Nov 8 01:33:15 2018 us=598560 223.228.159.43:27421 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Thu Nov 8 01:33:15 2018 us=598590 223.228.159.43:27421 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Nov 8 01:33:15 2018 us=598604 223.228.159.43:27421 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
RThu Nov 8 01:33:15 2018 us=598630 223.228.159.43:27421 TLS: Initial packet from [AF_INET]223.228.159.43:27421, sid=1baa1d05 041eb277
================

Server configuration
===============
local xxx.xxx.xxx.xxx
port 443
proto udp4
dev tun
ca /etc/ca/ca_cert.pem
cert /etc/server/server_cert.pem
key /etc/server/server_key.pem
crl-verify /etc/crl/crl.pem
dh /etc/dh2048.pem
server 172.16.15.0 255.255.252.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 172.16.156.1"
keepalive 10 120
user xxxxx
group xxxxx
persist-key
persist-tun
explicit-exit-notify
log /var/log/openvpn.log
verb 5
===============

Client config
==============
client
dev tun
keepalive 15 120
persist-key
persist-local-ip
persist-tun
remote xxx.xxx.xxx.xxx
port 443
proto udp
<ca>
</ca>
<cert>
</cert>
<key>
</key>
explicit-exit-notify
==============

Client side logs are already pasted in first post.

[TinCanTech]

use a custom built CA to issue certificates, which is built on Python’s `cryptography` module

Try using EasyRSA and see if it works then ..