Error unsupported certificate purpose

stefano.negro · Post by **stefano.negro** » Wed Jan 30, 2019 7:56 am

I have installed a windows 2008 R2 server with OpenVPN with a configuration here attached, and with a mobile client it's connecting to the server.
When I try to connect a 3G router InHand I have a TLS error like this post.
viewtopic.php?t=18550

Code: Select all

Tue Jan 29 14:00:43 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Jan 29 14:00:43 2019 Windows version 6.1 (Windows 7) 64bit
Tue Jan 29 14:00:43 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Tue Jan 29 14:00:43 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343
Tue Jan 29 14:00:43 2019 Need hold release from management interface, waiting...
Tue Jan 29 14:00:44 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25343
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD 'state on'
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD 'log all on'
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD 'echo all on'
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD 'bytecount 5'
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD 'hold off'
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD 'hold release'
Tue Jan 29 14:00:44 2019 Diffie-Hellman initialized with 2048 bit key
Tue Jan 29 14:00:44 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 29 14:00:44 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 29 14:00:44 2019 interactive service msg_channel=0
Tue Jan 29 14:00:44 2019 ROUTE_GATEWAY 10.10.10.1/255.255.255.0 I=11 HWADDR=00:50:56:87:6b:0d
Tue Jan 29 14:00:44 2019 open_tun
Tue Jan 29 14:00:44 2019 TAP-WIN32 device [Connessione alla rete locale (LAN) 2] opened: \\.\Global\{515D7AF9-2A09-48D4-BC61-1553AB97135A}.tap
Tue Jan 29 14:00:44 2019 TAP-Windows Driver Version 9.21 
Tue Jan 29 14:00:44 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {515D7AF9-2A09-48D4-BC61-1553AB97135A} [DHCP-serv: 10.8.0.2, lease-time: 31536000]
Tue Jan 29 14:00:44 2019 Sleeping for 10 seconds...
Tue Jan 29 14:00:54 2019 Successful ARP Flush on interface [13] {515D7AF9-2A09-48D4-BC61-1553AB97135A}
Tue Jan 29 14:00:54 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jan 29 14:00:54 2019 MANAGEMENT: >STATE:1548766854,ASSIGN_IP,,10.8.0.1,,,,
Tue Jan 29 14:00:54 2019 MANAGEMENT: >STATE:1548766854,ADD_ROUTES,,,,,,
Tue Jan 29 14:00:54 2019 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
Tue Jan 29 14:00:54 2019 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jan 29 14:00:54 2019 Route addition via IPAPI succeeded [adaptive]
Tue Jan 29 14:00:54 2019 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Jan 29 14:00:54 2019 Listening for incoming TCP connection on [AF_INET][undef]:443
Tue Jan 29 14:00:54 2019 TCPv4_SERVER link local (bound): [AF_INET][undef]:443
Tue Jan 29 14:00:54 2019 TCPv4_SERVER link remote: [AF_UNSPEC]
Tue Jan 29 14:00:54 2019 MULTI: multi_init called, r=256 v=256
Tue Jan 29 14:00:54 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Jan 29 14:00:54 2019 MULTI: TCP INIT maxclients=60 maxevents=64
Tue Jan 29 14:00:54 2019 Initialization Sequence Completed
Tue Jan 29 14:00:54 2019 MANAGEMENT: >STATE:1548766854,CONNECTED,SUCCESS,10.8.0.1,,,,
Tue Jan 29 14:00:57 2019 TCP connection established with [AF_INET]x.y.w.z:12482
Tue Jan 29 14:00:58 2019 x.y.w.z:12482 TLS: Initial packet from [AF_INET]x.y.w.z:12482, sid=dd09e913 aae7af21
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=IT, ST=GE, L=Genova, O=XXX, OU=changeme, CN=server, name=server, emailAddress=xxx@xxx.com
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 TLS_ERROR: BIO read tls_read_plaintext error
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 TLS Error: TLS object -> incoming plaintext read error
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 TLS Error: TLS handshake failed
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 Fatal TLS error (check_tls_errors_co), restarting
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 SIGUSR1[soft,tls-error] received, client-instance restarting

The server configuration file is :

ServerConfig

port 443
proto tcp4
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
server 10.8.0.0 255.255.255.0
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3

With the following client configuration is working

ClientConfig

client
dev tun
proto tcp4
remote <my.public.ip> 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
key-direction 1
verb 3

<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>

Thanks
Stefano

TinCanTech · Post by **TinCanTech** » Wed Jan 30, 2019 1:37 pm

stefano.negro wrote: ↑
Wed Jan 30, 2019 7:56 am
VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=IT, ST=GE, L=Genova, O=XXX, OU=changeme, CN=server, name=server, emailAddress=xxx@xxx.com

Looks like your client has the wrong certificate.

OpenVPN Support Forum

Error unsupported certificate purpose

Error unsupported certificate purpose

Re: Error unsupported certificate purpose