Code: Select all
Thu Sep 20 16:06:28 2018 VERIFY ERROR: depth=0, error=format error in certificate's notBefore field: C=CH, ST=Vaud, L=Lausanne, O=Foo SA, OU=IT, CN=Foo_SSL_VPN_20180310, emailAddress=info@foo.com
Code: Select all
$ sudo openvpn client.crssl
Thu Sep 20 16:06:22 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Thu Sep 20 16:06:22 2018 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.10
Thu Sep 20 16:06:22 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 20 16:06:22 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.33.44:1234
Thu Sep 20 16:06:22 2018 Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Sep 20 16:06:22 2018 Attempting to establish TCP connection with [AF_INET]111.222.33.44:1234 [nonblock]
Thu Sep 20 16:06:24 2018 TCP connection established with [AF_INET]111.222.33.44:1234
Thu Sep 20 16:06:24 2018 TCP_CLIENT link local: (not bound)
Thu Sep 20 16:06:24 2018 TCP_CLIENT link remote: [AF_INET]111.222.33.44:1234
Thu Sep 20 16:06:24 2018 TLS: Initial packet from [AF_INET]111.222.33.44:1234, sid=1c89730a b999cb43
Thu Sep 20 16:06:24 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Sep 20 16:06:28 2018 VERIFY OK: depth=1, C=CH, ST=Vaud, L=Lausanne, O=Foo SA, OU=IT, CN=Foo_CA, emailAddress=info@foo.com
Thu Sep 20 16:06:28 2018 VERIFY ERROR: depth=0, error=format error in certificate's notBefore field: C=CH, ST=Vaud, L=Lausanne, O=Foo SA, OU=IT, CN=Foo_SSL_VPN_20180310, emailAddress=info@foo.com
Thu Sep 20 16:06:28 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Thu Sep 20 16:06:28 2018 TLS_ERROR: BIO read tls_read_plaintext error
Thu Sep 20 16:06:28 2018 TLS Error: TLS object -> incoming plaintext read error
Thu Sep 20 16:06:28 2018 TLS Error: TLS handshake failed
Thu Sep 20 16:06:28 2018 Fatal TLS error (check_tls_errors_co), restarting
Thu Sep 20 16:06:28 2018 SIGUSR1[soft,tls-error] received, process restarting
client
dev tun
port 1234
connect-retry 0
proto tcp-client
remote 111.222.33.44
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass login.conf
comp-lzo
auth-retry interact
verb 10
reneg-sec 0
status crssl_client_status.log
ca RootCertificate.pem
cert UserCertificate.pem
key UserPrivateKey.key
Unfortunately, I have no way of editing the certificate to fix the date as suggested by this post because it is held on the router which is apparently only accessible through a GUI. As a temporary workaround, I wanted to configure my client to skip checking the certificate entirely (and yes, I am aware of the risks), but could find no such option. So I instead created a dummy script:
Code: Select all
$ cat foo.sh
#!/bin/sh
exit 0
$ ls -l foo.sh
-rwxrwxrwx 1 terdon terdon 17 Sep 21 11:30 foo.sh
Code: Select all
tls-verify /home/terdon/foo.sh
Code: Select all
Fri Sep 21 12:11:11 2018 WARNING: Failed running command (--tls-verify script): external program fork failed
Fri Sep 21 12:11:11 2018 VERIFY SCRIPT ERROR: depth=1, C=CH, ST=Vaud, L=Lausanne, O=foo SA, OU=IT, CN=foo_CA, emailAddress=info@foo.com
Fri Sep 21 12:11:11 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Sep 21 12:11:11 2018 TLS_ERROR: BIO read tls_read_plaintext error
Fri Sep 21 12:11:11 2018 TLS Error: TLS object -> incoming plaintext read error
Fri Sep 21 12:11:11 2018 TLS Error: TLS handshake failed
Fri Sep 21 12:11:11 2018 Fatal TLS error (check_tls_errors_co), restarting