TLS verification fails after indication of a successful connection

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ionilith
OpenVpn Newbie
Posts: 1
Joined: Fri Nov 10, 2017 7:20 pm

TLS verification fails after indication of a successful connection

Post by ionilith » Fri Nov 10, 2017 7:29 pm

The server is running on CentOS7 and I am attempting to connect with a windows client. I have not been able to find a post that shows exactly what I am seeing. It appears that TSL initially appears to have made a connection. Just to double check everything I have turned off all firewalls (router, client, server) and the log I get is the same each time. I am hoping someone might have a clue what this means.

Fri Nov 10 14:25:17 2017 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Fri Nov 10 14:25:17 2017 Windows version 6.1 (Windows 7) 64bit
Fri Nov 10 14:25:17 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Fri Nov 10 14:25:17 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Nov 10 14:25:17 2017 Need hold release from management interface, waiting...
Fri Nov 10 14:25:17 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Nov 10 14:25:18 2017 MANAGEMENT: CMD 'state on'
Fri Nov 10 14:25:18 2017 MANAGEMENT: CMD 'log all on'
Fri Nov 10 14:25:18 2017 MANAGEMENT: CMD 'echo all on'
Fri Nov 10 14:25:18 2017 MANAGEMENT: CMD 'hold off'
Fri Nov 10 14:25:18 2017 MANAGEMENT: CMD 'hold release'
Fri Nov 10 14:25:22 2017 MANAGEMENT: CMD 'password [...]'
Fri Nov 10 14:25:22 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Nov 10 14:25:22 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Nov 10 14:25:22 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1117
Fri Nov 10 14:25:22 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Nov 10 14:25:22 2017 UDP link local (bound): [AF_INET][undef]:1117
Fri Nov 10 14:25:22 2017 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1117
Fri Nov 10 14:25:22 2017 MANAGEMENT: >STATE:1510341922,WAIT,,,,,,
Fri Nov 10 14:25:22 2017 MANAGEMENT: >STATE:1510341922,AUTH,,,,,,
Fri Nov 10 14:25:22 2017 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1117, sid=a9702662 97a7592e
Fri Nov 10 14:25:22 2017 VERIFY OK: depth=1, C=US, ST=PA, L=Pittsburgh, O=Organization, OU=MyOrganizationalUnit, CN=xxx.xxx.xxx.xxx, name=server, emailAddress=me@myhost.mydomain
Fri Nov 10 14:25:22 2017 VERIFY KU OK
Fri Nov 10 14:25:22 2017 Validating certificate extended key usage
Fri Nov 10 14:25:22 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Nov 10 14:25:22 2017 VERIFY EKU OK
Fri Nov 10 14:25:22 2017 VERIFY OK: depth=0, C=US, ST=PA, L=Pittsburgh, O=Organization, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
Fri Nov 10 14:26:22 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Nov 10 14:26:22 2017 TLS Error: TLS handshake failed
Fri Nov 10 14:26:22 2017 SIGUSR1[soft,tls-error] received, process restarting
Fri Nov 10 14:26:22 2017 MANAGEMENT: >STATE:1510341982,RECONNECTING,tls-error,,,,,
Fri Nov 10 14:26:22 2017 Restart pause, 5 second(s)

What I do notice is that in the first verification line it has CN as the IP address. But in the second one it has the CN as the server certificate name (which is cleverly named "server")

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS verification fails after indication of a successful connection

Post by TinCanTech » Fri Dec 08, 2017 10:58 am

ionilith wrote:
Fri Nov 10, 2017 7:29 pm
I am hoping someone might have a clue what this means
ionilith wrote:
Fri Nov 10, 2017 7:29 pm
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Generally, it means you have setup your network incorrectly ..

Post Reply