I've been trying to configure OpenVPN for a while now and I am getting certificate errors. I'm pretty sure I've configured the certificates correctly but I can't tell exactly what the problem is since the error message is ambiguous.
Here my devices:
My OpenVPN "server" is a Mikrotik CRS125-24G-1S running RouterOS 6.40.3. I followed this guide to configure the OVPN server: http://david.kow.is/blog/2016/12/26/mik ... ux-server/
My OpenVPN "client" is a Ubuntu VPS running in RamNode (Linux nightvine 2.6.32-042stab127.2 #1 SMP Thu Jan 4 16:41:44 MSK 2018 x86_64 x86_64 x86_64 GNU/Linux)
Here is the error that my OpenVPN client is complaining about (error in bold):
Code: Select all
Sat Mar 17 19:30:07 2018 us=144316 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:46603
Sat Mar 17 19:30:07 2018 us=144360 TCPv4_SERVER link local (bound): [undef]
Sat Mar 17 19:30:07 2018 us=144382 TCPv4_SERVER link remote: [AF_INET]xxx.xxx.xxx.xxx:46603
Sat Mar 17 19:30:07 2018 us=144594 TCPv4_SERVER READ [14] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sat Mar 17 19:30:07 2018 us=144628 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:46603, sid=6376bfdc 964582da
Sat Mar 17 19:30:07 2018 us=144676 TCPv4_SERVER WRITE [26] to [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Sat Mar 17 19:30:07 2018 us=148132 TCPv4_SERVER READ [26] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 0 ] pid=1 DATA len=0
Sat Mar 17 19:30:07 2018 us=148198 TCPv4_SERVER WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:46603: P_ACK_V1 kid=0 [ 1 ]
Sat Mar 17 19:30:07 2018 us=257196 TCPv4_SERVER READ [297] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=283
Sat Mar 17 19:30:07 2018 us=271290 TCPv4_SERVER WRITE [1196] to [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_V1 kid=0 [ 2 ] pid=1 DATA len=1170
Sat Mar 17 19:30:07 2018 us=271467 TCPv4_SERVER WRITE [1184] to [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1170
Sat Mar 17 19:30:07 2018 us=271517 TCPv4_SERVER WRITE [304] to [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=290
Sat Mar 17 19:30:07 2018 us=272576 TCPv4_SERVER READ [22] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_ACK_V1 kid=0 [ 1 ]
Sat Mar 17 19:30:07 2018 us=314180 TCPv4_SERVER READ [22] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_ACK_V1 kid=0 [ 2 ]
Sat Mar 17 19:30:07 2018 us=314261 TCPv4_SERVER READ [22] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_ACK_V1 kid=0 [ 3 ]
Sat Mar 17 19:30:08 2018 us=495465 TCPv4_SERVER READ [1414] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=1400
Sat Mar 17 19:30:08 2018 us=495762 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=server
[b]Sat Mar 17 19:30:08 2018 us=495853 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Sat Mar 17 19:30:08 2018 us=495876 TLS_ERROR: BIO read tls_read_plaintext error
Sat Mar 17 19:30:08 2018 us=495897 TLS Error: TLS object -> incoming plaintext read error
Sat Mar 17 19:30:08 2018 us=496017 TLS Error: TLS handshake failed
Sat Mar 17 19:30:08 2018 us=496208 Fatal TLS error (check_tls_errors_co), restarting[/b]
Sat Mar 17 19:30:08 2018 us=496479 TCP/UDP: Closing socket
Sat Mar 17 19:30:08 2018 us=496617 SIGUSR1[soft,tls-error] received, process restarting
Sat Mar 17 19:30:08 2018 us=496650 Restart pause, 1 second(s)
Sat Mar 17 19:30:09 2018 us=497341 Diffie-Hellman initialized with 2048 bit key
Sat Mar 17 19:30:09 2018 us=497569 WARNING: file '/etc/openvpn/nightvine.key' is group or others accessible
Sat Mar 17 19:30:09 2018 us=497869 Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Mar 17 19:30:09 2018 us=497916 Socket Buffers: R=[174760->174760] S=[174760->174760]
Sat Mar 17 19:30:09 2018 us=497942 Preserving previous TUN/TAP instance: tun1
Sat Mar 17 19:30:09 2018 us=497971 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sat Mar 17 19:30:09 2018 us=498005 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,ifconfig 10.0.5.3 10.0.5.2,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Mar 17 19:30:09 2018 us=498029 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,ifconfig 10.0.5.2 10.0.5.3,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Mar 17 19:30:09 2018 us=498064 Local Options hash (VER=V4): '013a7c13'
Sat Mar 17 19:30:09 2018 us=498089 Expected Remote Options hash (VER=V4): '42f68198'
Sat Mar 17 19:30:09 2018 us=498113 Listening for incoming TCP connection on [undef]
Sat Mar 17 19:30:10 2018 us=454389 TCP/UDP: Closing socket
Sat Mar 17 19:30:10 2018 us=454738 /sbin/ip route del 10.10.220.0/24
Sat Mar 17 19:30:10 2018 us=457225 Closing TUN/TAP interface
Sat Mar 17 19:30:10 2018 us=457283 /sbin/ip addr del dev tun1 local 10.0.5.2 peer 10.0.5.3
Here is my OpenVPN client configuration:
client
mode p2p
bind
port 1192
proto tcp-server
#float is the default unless --remote is specified
float
dev tun1
#remote-cert-eku "TLS Web Server Authentication"
remote-cert-ku 88
remote-cert-tls server
# this is mine \/ \/ is the client
ifconfig 10.0.5.2 10.0.5.3
persist-tun
# cannot use comp-lzo with the routerboard
# can't use fragment with TCP connections, mssfix should be sufficient
mssfix
# Local route to the home network
route 10.10.220.0 255.255.255.0 vpn_gateway
keepalive 10 60
# 2048 dh params!
dh /etc/openvpn/dh2048.pem
tls-server
# other end CA
ca /etc/openvpn/ca.crt
# My certificate and key
cert /etc/openvpn/nightvine.crt
key /etc/openvpn/nightvine.key
# verify the certificate! only allowing a certificate that matches this CN
verify-x509-name client-cert name
As I said before, I have generated the keys using EasyRSA and correct EKU/KU settings (for server and client):
Code: Select all
--------------------------SERVER CERTIFICATE--------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
db:3c:c9:db:ed:13:13:8a:98:78:f9:bf:e5:00:e4:d5
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Obnauticus CA
Validity
Not Before: Mar 17 04:05:57 2018 GMT
Not After : Mar 14 04:05:57 2028 GMT
Subject: CN=server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b4:64:33:08:92:0d:4d:c1:d2:25:6a:63:57:53:
20:a4:78:fc:4b:1c:8e:a0:8a:82:76:f7:49:94:66:
0b:a1:32:5f:81:a9:6c:e6:ab:19:35:c2:f9:e0:4b:
5a:78:93:d2:c0:5d:5a:3c:70:14:e3:33:8c:3f:94:
28:95:c0:ae:55:db:76:13:dd:fd:4a:b5:19:c7:9f:
37:7a:09:4d:f5:f4:45:bd:19:f4:ad:99:9f:32:74:
96:2f:8b:f6:0c:0d:b5:7c:f4:c0:90:db:10:01:b0:
0b:cd:9f:02:5a:99:07:a7:ba:41:17:55:38:c4:bb:
5c:ca:eb:b2:e2:0d:10:42:c9:af:22:2d:4a:ff:8b:
f2:1e:cd:30:e8:b3:ba:29:43:af:ab:66:86:88:72:
ef:86:79:f9:be:b5:21:5d:ae:ba:c1:9c:bd:ac:c7:
bf:21:95:45:e1:05:a8:26:68:c0:1e:a1:cf:7d:1f:
10:19:21:d1:ad:62:ef:47:d3:40:2f:45:00:bd:97:
17:18:20:91:01:99:dc:d6:37:de:ad:bc:a9:72:ab:
3c:af:c3:b5:34:4d:ab:ba:34:fb:b2:4e:25:6a:e2:
d2:d4:6c:c0:94:81:bc:a8:83:4d:ac:8a:96:8f:ab:
28:e2:9b:f5:96:aa:ae:15:1c:70:14:81:f9:54:eb:
6a:27
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Server
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
DA:D9:7D:E1:14:4E:54:EB:86:D1:22:93:49:81:97:BC:2C:18:F6:2B
X509v3 Authority Key Identifier:
keyid:10:9B:C4:26:94:15:9B:BF:6F:75:EB:6E:34:C5:D0:99:1E:7E:4E:45
DirName:/CN=Obnauticus CA
serial:FC:47:68:F4:C6:36:73:FC
[b] X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server[/b]
Signature Algorithm: sha256WithRSAEncryption
aa:9e:2a:6a:62:b3:36:c5:02:99:d2:0b:27:62:bd:e9:92:dd:
6f:9a:dd:9d:2f:92:ba:14:f7:0c:bb:82:5d:ec:75:ba:01:c0:
d4:26:ba:c6:de:70:88:bd:41:a7:1c:90:37:80:36:2e:b2:10:
ae:77:ab:54:02:1d:71:7e:6b:e6:ab:45:cc:a0:56:ff:42:b3:
4f:33:20:c7:1c:77:9d:08:84:d6:83:68:8c:19:38:76:63:f1:
6d:2d:3b:6b:e9:84:d4:75:d8:6e:7e:34:76:7f:c9:a4:1d:32:
6d:fc:e1:2e:a7:ee:7c:bf:4e:64:f9:f6:53:59:c6:d7:2a:bd:
da:43:ae:cb:62:b3:0a:79:05:af:af:02:fe:c1:17:f4:b5:da:
f9:da:d9:f9:45:4a:cc:44:01:61:d1:0b:90:f9:d3:22:e3:3f:
37:dc:48:b9:6e:10:56:72:41:59:28:00:58:46:65:e8:a9:07:
02:bf:96:5f:a7:6a:93:1e:72:db:0c:fd:8e:be:c1:89:d1:ab:
da:6c:b2:8a:d3:2d:2f:a1:20:c1:c1:42:e0:51:04:4a:99:63:
e7:65:8c:70:e8:fb:d5:a7:33:c9:49:94:a8:4a:67:dc:25:84:
bd:b2:1a:0e:81:ae:93:32:62:64:f1:7d:dc:5f:39:41:8c:62:
b2:24:b7:af
-----BEGIN CERTIFICATE-----
* REDACTED *
-----END CERTIFICATE-----
--------------------------CLIENT CERTIFICATE--------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ba:d4:68:62:7f:85:9a:f0:96:08:09:85:b7:c7:bb:45
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Obnauticus CA
Validity
Not Before: Mar 17 04:06:07 2018 GMT
Not After : Mar 14 04:06:07 2028 GMT
Subject: CN=nightvine
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dc:6d:09:24:41:9d:0c:28:ee:f0:4a:de:6e:ac:
e7:80:30:6c:b4:be:5e:f5:24:ec:54:11:ff:22:6b:
8e:ef:e2:cb:00:9f:e1:6f:bd:07:bc:e5:83:aa:27:
89:20:21:2a:8b:c4:a6:17:90:99:19:ad:b5:60:57:
21:ca:16:d7:70:a0:da:3f:2f:a2:cf:24:c2:0b:28:
37:88:b8:ae:82:be:67:92:46:bd:e2:f9:f5:71:01:
95:c2:13:11:14:34:1d:69:8e:06:4d:db:dc:3c:f8:
16:3a:84:d0:ac:76:9e:38:10:39:90:3b:a9:9c:b2:
40:50:d2:fc:d8:c1:08:0a:4f:c1:10:76:a2:30:43:
77:dc:c6:c2:f5:e7:6d:81:73:7c:8e:c0:52:5d:84:
07:4a:bc:10:62:57:22:ba:71:4e:9a:c2:14:cf:ab:
02:a4:45:e1:9e:bb:6e:92:6c:e3:e3:20:38:4d:bd:
70:68:49:b7:66:18:40:28:e9:0d:09:70:df:85:0d:
8a:c5:7f:1c:61:5c:5e:d6:c5:1e:16:de:ed:0e:f8:
ea:11:47:8e:3b:47:e8:04:62:79:f1:67:8d:e0:1c:
d7:2a:14:3c:2c:b9:af:b6:26:34:00:87:d6:58:19:
07:97:16:4d:c8:8b:67:0b:59:97:5a:a0:2c:83:d6:
7a:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
A7:DE:12:52:50:57:B7:46:F7:AC:93:EA:DC:97:9D:D8:4E:B3:36:89
X509v3 Authority Key Identifier:
keyid:10:9B:C4:26:94:15:9B:BF:6F:75:EB:6E:34:C5:D0:99:1E:7E:4E:45
DirName:/CN=Obnauticus CA
serial:FC:47:68:F4:C6:36:73:FC
[b] X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature[/b]
Signature Algorithm: sha256WithRSAEncryption
54:ed:4f:ce:d7:95:51:d6:93:54:41:d5:d9:89:a5:8d:03:89:
97:6e:5a:74:7f:76:47:39:70:39:03:bd:0b:1d:25:72:df:31:
35:49:d4:3c:73:16:20:ae:ed:1b:9c:e6:75:76:cc:3d:bb:68:
fd:62:fe:3c:af:ff:1f:b1:cd:38:60:e8:9d:62:e7:4f:57:82:
f9:0a:92:5f:f5:65:1e:59:da:8f:50:56:cd:ca:04:98:19:a5:
23:8a:50:ec:8c:b3:a2:2c:d2:3e:1b:ac:29:65:94:1a:31:60:
14:d7:ba:0a:0d:8b:f9:6e:6c:5a:28:ee:ee:da:53:df:92:2d:
92:42:7d:aa:75:a2:8a:9d:d5:0e:97:26:00:b5:03:e2:f7:ad:
67:53:0b:0f:b0:a0:48:2f:42:0a:10:07:9d:17:80:cc:4e:c3:
25:c0:1f:3f:ff:e3:8c:86:40:eb:79:68:e3:47:01:8e:3d:e7:
e5:f9:3d:4f:f7:45:e5:93:7f:38:a2:fd:06:60:11:82:6e:d6:
2d:f1:38:07:99:67:8d:c1:55:b9:42:84:82:28:3c:55:48:5a:
e5:8c:f9:25:04:d5:e9:53:d0:14:c8:a3:e1:68:de:c4:40:f1:
6b:6e:55:bc:3d:1f:54:2a:91:65:20:98:ad:78:3d:54:3e:68:
45:5a:a2:83
-----BEGIN CERTIFICATE-----
* REDACTED *
-----END CERTIFICATE-----
s_client -> s_server connection (from s_client perspective):
Code: Select all
$ openssl s_client -msg -verify -tls1_2 -state -showcerts -cert nightvine.crt -key nightvine.key -connect localhost:1112
verify depth is 0
CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> TLS 1.2 Handshake [length 0122], ClientHello
[REMOVED BECAUSE TOO LARGE]
SSL_connect:unknown state
<<< TLS 1.2 Handshake [length 0042], ServerHello
[REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 read server hello A
<<< TLS 1.2 Handshake [length 0382], Certificate
[REMOVED BECAUSE TOO LARGE]
depth=0 CN = server
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = server
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = server
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
<<< TLS 1.2 Handshake [length 014d], ServerKeyExchange
[REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 read server key exchange A
<<< TLS 1.2 Handshake [length 002a], CertificateRequest
[REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 read server certificate request A
<<< TLS 1.2 Handshake [length 0004], ServerHelloDone
[REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 read server done A
>>> TLS 1.2 Handshake [length 035f], Certificate
[REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 write client certificate A
>>> TLS 1.2 Handshake [length 0046], ClientKeyExchange
[REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.2 Handshake [length 0108], CertificateVerify
[REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 write certificate verify A
>>> TLS 1.2 ChangeCipherSpec [length 0001]
01
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.2 Handshake [length 0010], Finished
14 00 00 0c 70 ea 66 98 ec 8f 0d 05 f5 0c 12 55
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
<<< TLS 1.2 Handshake [length 040a]???
[REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 read server session ticket A
<<< TLS 1.2 ChangeCipherSpec [length 0001]
01
<<< TLS 1.2 Handshake [length 0010], Finished
14 00 00 0c 5c a4 49 1d 67 55 2a ee dc e8 0f 81
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/CN=server
i:/CN=Obnauticus CA
-----BEGIN CERTIFICATE-----
[REMOVED BECAUSE TOO LARGE]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=server
issuer=/CN=Obnauticus CA
---
No client certificate CA names sent
---
SSL handshake has read 2453 bytes and written 1558 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: [REMOVED BECAUSE TOO LARGE]
Session-ID-ctx:
Master-Key: [REMOVED BECAUSE TOO LARGE]
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
[REMOVED BECAUSE TOO LARGE]
Start Time: 1521329730
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
TEST
Code: Select all
$ openssl s_server -msg -verify -tls1_2 -state -cert server.crt -key server.key -accept 1112
verify depth is 0
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
SSL_accept:before/accept initialization
<<< TLS 1.2 Handshake [length 0122], ClientHello
[REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 read client hello A
>>> TLS 1.2 Handshake [length 0042], ServerHello
[REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write server hello A
>>> TLS 1.2 Handshake [length 0382], Certificate
[REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write certificate A
>>> TLS 1.2 Handshake [length 014d], ServerKeyExchange
[REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write key exchange A
>>> TLS 1.2 Handshake [length 002e], CertificateRequest
[REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write certificate request A
SSL_accept:SSLv3 flush data
<<< TLS 1.2 Handshake [length 035f], Certificate
[REMOVED BECAUSE TOO LARGE]
depth=0 CN = nightvine
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = nightvine
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = nightvine
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_accept:SSLv3 read client certificate A
<<< TLS 1.2 Handshake [length 0046], ClientKeyExchange
[REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 read client key exchange A
<<< TLS 1.2 Handshake [length 0108], CertificateVerify
[REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 read certificate verify A
<<< TLS 1.2 ChangeCipherSpec [length 0001]
01
<<< TLS 1.2 Handshake [length 0010], Finished
14 00 00 0c 70 ea 66 98 ec 8f 0d 05 f5 0c 12 55
SSL_accept:SSLv3 read finished A
>>> TLS 1.2 Handshake [length 040a]???
[REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write session ticket A
>>> TLS 1.2 ChangeCipherSpec [length 0001]
01
SSL_accept:SSLv3 write change cipher spec A
>>> TLS 1.2 Handshake [length 0010], Finished
[REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
-----BEGIN SSL SESSION PARAMETERS-----
[REMOVED BECAUSE TOO LARGE]
-----END SSL SESSION PARAMETERS-----
Client certificate
-----BEGIN CERTIFICATE-----
[REMOVED BECAUSE TOO LARGE]
-----END CERTIFICATE-----
subject=/CN=nightvine
issuer=/CN=Obnauticus CA
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
TEST