Update client from 2.5.0 beta 1 to 2.5.x leads to "Self-signed certificate".

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
chameleon
OpenVpn Newbie
Posts: 13
Joined: Wed Sep 11, 2019 4:54 am

Update client from 2.5.0 beta 1 to 2.5.x leads to "Self-signed certificate".

Post by chameleon » Sat Sep 18, 2021 12:00 pm

My OpenVPN network is TAP, and is configured like this:
viewtopic.php?f=7&t=30633&p=93136#p93136

I have an ARM v7 with OpenVPN server version

Code: Select all

OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Originally developed by James Yonan
I have a WORKING Windows 10 client with OpenVPN version 2.5.0 beta 1.
I have a NON-WORKING Windows 10 client with OpenVPN version 2.5.0 to 2.5.3 (I test them all).

NON-WORKING means: viewtopic.php?f=22&t=33023&p=102165#p102165


When I insert the .conf file with inline certificates from WORKING client to NON-WORKING client, NON-WORKING client still does not work.

When I replace ALL the .EXE and DLL files to NON-WORKING client from them to WORKING client, NON-WORKING client WORKS!

So, something happen from version 2.5.0 beta 1 to version 2.5.0.

Also the 2.5.0 beta 1 becomes valuable because it is not available for download.


UPDATE:
Downgrading libcrypto-1_1-x64.dll from 1.1.1.8 (2.5.0) to 1.1.1.7 (2.5.0 beta1) fixes the problem.

So the question is what this means?

Code: Select all

Changes between 1.1.1g and 1.1.1h [22 Sep 2020]

    Certificates with explicit curve parameters are now disallowed in verification chains if the X509_V_FLAG_X509_STRICT flag is used.
What I must do?

chameleon
OpenVpn Newbie
Posts: 13
Joined: Wed Sep 11, 2019 4:54 am

Re: Update client from 2.5.0 beta 1 to 2.5.x leads to "Self-signed certificate".

Post by chameleon » Sun Sep 19, 2021 3:10 pm

Solution:

- Download latest OpenSSL for Windows or Linux. At least 1.1.1.h. If your OpenSSL is 1.1.1.g or older, the false "self-signed certficate" problem will occur.

- Remove old and re-create the certifications for server and clients with OpenSSL 1.1.1.h at least. DO NOT FORGET to fill a "Common Name" (CA) because it is optional for OpenSSL but mandatory for OpenVPN. OpenVPN fails if CA is empty. You can sign the certifications like this: viewtopic.php?f=7&t=30633&p=93136

- Stop OpenVPN server.

- Replace all certifications for server and clients.

- Start OpenVPN server.

- All ok (at least for me).

Post Reply