Regression client connect poblem error:0A000086:SSL

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
thhart
OpenVpn Newbie
Posts: 7
Joined: Tue Oct 06, 2015 7:44 am

Regression client connect poblem error:0A000086:SSL

Post by thhart » Mon Feb 28, 2022 9:28 am

Out of sudden the Android App refuses to connect with a self signed certificate validation problem. All other Linux/Windows clients can connect.
I have a Samsung mobile with a recent 12 Android update. Unfortunately I do not use the Connect App quite regular but noticed now that the client can not connect any more, this worked without problems over the years but the last time was some months ago. SHA is used for signing for all certs. I also can not say if it is related to a special App version. I also created a new ca.crt without change. Also special options in the client config for compatibility I tried without success.
The server only sees a short connect and disconnect then.

I can see this in the client log, no other hint anywhere found:

Code: Select all

2022-02-28 10:10:26 VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: *******
2022-02-28 10:10:26 OpenSSL: error:0A000086:SSL routines::certificate verify failed
I will attach all the other files now.

client

client
proto tcp
connect-timeout 30
fast-io
tls-timeout 10
dev tun
remote vpn.itth.com
socket-flags TCP_NODELAY
port 1194
comp-lzo
ping 5
ping-restart 5
verb 9
<key>
*******
</key>
<cert>
*******
</cert>
<ca>
*******
</ca>

Code: Select all

2022-02-28 10:10:25 official build 0.7.33 running on samsung SM-N970F (exynos9825), Android 12 (SP1A.210812.016) API 31, ABI arm64-v8a, (samsung/d1eea/d1:12/SP1A.210812.016/N970FXXU7GVA5:user/release-keys)
2022-02-28 10:10:25 Building configuration…
2022-02-28 10:10:25 started Socket Thread
2022-02-28 10:10:25 Network Status: CONNECTED  to WIFI
2022-02-28 10:10:25 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2022-02-28 10:10:25 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2022-02-28 10:10:25 P:WARNING: linker: Warning: "/data/app/~~CMMIqFNdaMxbhRHzfLL5ug==/de.blinkt.openvpn-lQpGXBTN2hSXEoOP9gpb2w==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2022-02-28 10:10:25 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-02-28 10:10:25 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback 'BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-02-28 10:10:25 Current Parameter Settings:
2022-02-28 10:10:25   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2022-02-28 10:10:25   mode = 0
2022-02-28 10:10:25   show_ciphers = DISABLED
2022-02-28 10:10:25   show_digests = DISABLED
2022-02-28 10:10:25   show_engines = DISABLED
2022-02-28 10:10:25   genkey = DISABLED
2022-02-28 10:10:25   genkey_filename = '[UNDEF]'
2022-02-28 10:10:25   key_pass_file = '[UNDEF]'
2022-02-28 10:10:25   show_tls_ciphers = DISABLED
2022-02-28 10:10:25   connect_retry_max = 1
2022-02-28 10:10:25 Connection profiles [0]:
2022-02-28 10:10:25   proto = tcp-client
2022-02-28 10:10:25   local = '[UNDEF]'
2022-02-28 10:10:25   local_port = '[UNDEF]'
2022-02-28 10:10:25   remote = 'vpn.itth.com'
2022-02-28 10:10:25   remote_port = '1194'
2022-02-28 10:10:25   remote_float = DISABLED
2022-02-28 10:10:25   bind_defined = DISABLED
2022-02-28 10:10:25   bind_local = DISABLED
2022-02-28 10:10:25   bind_ipv6_only = DISABLED
2022-02-28 10:10:25   connect_retry_seconds = 2
2022-02-28 10:10:25   connect_timeout = 30
2022-02-28 10:10:25   socks_proxy_server = '[UNDEF]'
2022-02-28 10:10:25   socks_proxy_port = '[UNDEF]'
2022-02-28 10:10:25   tun_mtu = 1500
2022-02-28 10:10:25   tun_mtu_defined = ENABLED
2022-02-28 10:10:25   link_mtu = 1500
2022-02-28 10:10:25   link_mtu_defined = DISABLED
2022-02-28 10:10:25   tun_mtu_extra = 0
2022-02-28 10:10:25   tun_mtu_extra_defined = DISABLED
2022-02-28 10:10:25   mtu_discover_type = -1
2022-02-28 10:10:25   fragment = 0
2022-02-28 10:10:25   mssfix = 1492
2022-02-28 10:10:25   mssfix_encap = ENABLED
2022-02-28 10:10:25   explicit_exit_notification = 0
2022-02-28 10:10:25   tls_auth_file = '[UNDEF]'
2022-02-28 10:10:25   key_direction = not set
2022-02-28 10:10:25   tls_crypt_file = '[UNDEF]'
2022-02-28 10:10:25   tls_crypt_v2_file = '[UNDEF]'
2022-02-28 10:10:25 Connection profiles END
2022-02-28 10:10:25   remote_random = DISABLED
2022-02-28 10:10:25   ipchange = '[UNDEF]'
2022-02-28 10:10:25 Waiting 0s seconds between connection attempt
2022-02-28 10:10:25   dev = 'tun'
2022-02-28 10:10:25   dev_type = '[UNDEF]'
2022-02-28 10:10:25   dev_node = '[UNDEF]'
2022-02-28 10:10:25   lladdr = '[UNDEF]'
2022-02-28 10:10:25   topology = 1
2022-02-28 10:10:25   ifconfig_local = '[UNDEF]'
2022-02-28 10:10:25   ifconfig_remote_netmask = '[UNDEF]'
2022-02-28 10:10:25   ifconfig_noexec = DISABLED
2022-02-28 10:10:25   ifconfig_nowarn = ENABLED
2022-02-28 10:10:25   ifconfig_ipv6_local = '[UNDEF]'
2022-02-28 10:10:25   ifconfig_ipv6_netbits = 0
2022-02-28 10:10:25   ifconfig_ipv6_remote = '[UNDEF]'
2022-02-28 10:10:25   shaper = 0
2022-02-28 10:10:25   mtu_test = 0
2022-02-28 10:10:25   mlock = DISABLED
2022-02-28 10:10:25   keepalive_ping = 0
2022-02-28 10:10:25   keepalive_timeout = 0
2022-02-28 10:10:25   inactivity_timeout = 0
2022-02-28 10:10:25   ping_send_timeout = 5
2022-02-28 10:10:25   ping_rec_timeout = 5
2022-02-28 10:10:25   ping_rec_timeout_action = 2
2022-02-28 10:10:25   ping_timer_remote = DISABLED
2022-02-28 10:10:25   remap_sigusr1 = 0
2022-02-28 10:10:25   persist_tun = DISABLED
2022-02-28 10:10:25   persist_local_ip = DISABLED
2022-02-28 10:10:25   persist_remote_ip = DISABLED
2022-02-28 10:10:25   persist_key = DISABLED
2022-02-28 10:10:25   passtos = DISABLED
2022-02-28 10:10:25   resolve_retry_seconds = 60
2022-02-28 10:10:25   resolve_in_advance = DISABLED
2022-02-28 10:10:25   username = '[UNDEF]'
2022-02-28 10:10:25   groupname = '[UNDEF]'
2022-02-28 10:10:25   chroot_dir = '[UNDEF]'
2022-02-28 10:10:25   cd_dir = '[UNDEF]'
2022-02-28 10:10:25   writepid = '[UNDEF]'
2022-02-28 10:10:25   up_script = '[UNDEF]'
2022-02-28 10:10:25   down_script = '[UNDEF]'
2022-02-28 10:10:25   down_pre = DISABLED
2022-02-28 10:10:25   up_restart = DISABLED
2022-02-28 10:10:25   up_delay = DISABLED
2022-02-28 10:10:25   daemon = DISABLED
2022-02-28 10:10:25   log = DISABLED
2022-02-28 10:10:25   suppress_timestamps = DISABLED
2022-02-28 10:10:25   machine_readable_output = ENABLED
2022-02-28 10:10:25   nice = 0
2022-02-28 10:10:25   verbosity = 4
2022-02-28 10:10:25   mute = 0
2022-02-28 10:10:25   gremlin = 0
2022-02-28 10:10:25   status_file = '[UNDEF]'
2022-02-28 10:10:25   status_file_version = 1
2022-02-28 10:10:25   status_file_update_freq = 60
2022-02-28 10:10:25   occ = ENABLED
2022-02-28 10:10:25   rcvbuf = 0
2022-02-28 10:10:25   sndbuf = 0
2022-02-28 10:10:25   sockflags = 2
2022-02-28 10:10:25   fast_io = ENABLED
2022-02-28 10:10:25   comp.alg = 2
2022-02-28 10:10:25   comp.flags = 1
2022-02-28 10:10:25   route_script = '[UNDEF]'
2022-02-28 10:10:25   route_default_gateway = '[UNDEF]'
2022-02-28 10:10:25   route_default_metric = 0
2022-02-28 10:10:25   route_noexec = DISABLED
2022-02-28 10:10:25   route_delay = 0
2022-02-28 10:10:25   route_delay_window = 30
2022-02-28 10:10:25   route_delay_defined = DISABLED
2022-02-28 10:10:25   route_nopull = DISABLED
2022-02-28 10:10:25   route_gateway_via_dhcp = DISABLED
2022-02-28 10:10:25   allow_pull_fqdn = DISABLED
2022-02-28 10:10:25   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2022-02-28 10:10:25   management_port = 'unix'
2022-02-28 10:10:25   management_user_pass = '[UNDEF]'
2022-02-28 10:10:25   management_log_history_cache = 250
2022-02-28 10:10:25   management_echo_buffer_size = 100
2022-02-28 10:10:25   management_write_peer_info_file = '[UNDEF]'
2022-02-28 10:10:25   management_client_user = '[UNDEF]'
2022-02-28 10:10:25   management_client_group = '[UNDEF]'
2022-02-28 10:10:25   management_flags = 16678
2022-02-28 10:10:25   shared_secret_file = '[UNDEF]'
2022-02-28 10:10:25   key_direction = not set
2022-02-28 10:10:25   ciphername = 'BF-CBC'
2022-02-28 10:10:25   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305'
2022-02-28 10:10:25   authname = 'SHA1'
2022-02-28 10:10:25   engine = DISABLED
2022-02-28 10:10:25   replay = ENABLED
2022-02-28 10:10:25   mute_replay_warnings = DISABLED
2022-02-28 10:10:25   replay_window = 64
2022-02-28 10:10:25   replay_time = 15
2022-02-28 10:10:25   packet_id_file = '[UNDEF]'
2022-02-28 10:10:25   test_crypto = DISABLED
2022-02-28 10:10:25   tls_server = DISABLED
2022-02-28 10:10:25   tls_client = ENABLED
2022-02-28 10:10:25   ca_file = '[INLINE]'
2022-02-28 10:10:25   ca_path = '[UNDEF]'
2022-02-28 10:10:25   dh_file = '[UNDEF]'
2022-02-28 10:10:25   cert_file = '[INLINE]'
2022-02-28 10:10:25   extra_certs_file = '[UNDEF]'
2022-02-28 10:10:25   priv_key_file = '[INLINE]'
2022-02-28 10:10:25   pkcs12_file = '[UNDEF]'
2022-02-28 10:10:25   cipher_list = '[UNDEF]'
2022-02-28 10:10:25   cipher_list_tls13 = '[UNDEF]'
2022-02-28 10:10:25   tls_cert_profile = 'legacy'
2022-02-28 10:10:25   tls_verify = '[UNDEF]'
2022-02-28 10:10:25   tls_export_cert = '[UNDEF]'
2022-02-28 10:10:25   verify_x509_type = 0
2022-02-28 10:10:25   verify_x509_name = '[UNDEF]'
2022-02-28 10:10:25   crl_file = '[UNDEF]'
2022-02-28 10:10:25   ns_cert_type = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_eku = '[UNDEF]'
2022-02-28 10:10:25   ssl_flags = 192
2022-02-28 10:10:25   tls_timeout = 10
2022-02-28 10:10:25   renegotiate_bytes = -1
2022-02-28 10:10:25   renegotiate_packets = 0
2022-02-28 10:10:25   renegotiate_seconds = 3600
2022-02-28 10:10:25   handshake_window = 60
2022-02-28 10:10:25   transition_window = 3600
2022-02-28 10:10:25   single_session = DISABLED
2022-02-28 10:10:25   push_peer_info = DISABLED
2022-02-28 10:10:25   tls_exit = DISABLED
2022-02-28 10:10:25   tls_crypt_v2_metadata = '[UNDEF]'
2022-02-28 10:10:25   server_network = 0.0.0.0
2022-02-28 10:10:25   server_netmask = 0.0.0.0
2022-02-28 10:10:25   server_network_ipv6 = ::
2022-02-28 10:10:25   server_netbits_ipv6 = 0
2022-02-28 10:10:25   server_bridge_ip = 0.0.0.0
2022-02-28 10:10:25   server_bridge_netmask = 0.0.0.0
2022-02-28 10:10:25   server_bridge_pool_start = 0.0.0.0
2022-02-28 10:10:25   server_bridge_pool_end = 0.0.0.0
2022-02-28 10:10:25   ifconfig_pool_defined = DISABLED
2022-02-28 10:10:25   ifconfig_pool_start = 0.0.0.0
2022-02-28 10:10:25   ifconfig_pool_end = 0.0.0.0
2022-02-28 10:10:25   ifconfig_pool_netmask = 0.0.0.0
2022-02-28 10:10:25   ifconfig_pool_persist_filename = '[UNDEF]'
2022-02-28 10:10:25   ifconfig_pool_persist_refresh_freq = 600
2022-02-28 10:10:25   ifconfig_ipv6_pool_defined = DISABLED
2022-02-28 10:10:25   ifconfig_ipv6_pool_base = ::
2022-02-28 10:10:25   ifconfig_ipv6_pool_netbits = 0
2022-02-28 10:10:25   n_bcast_buf = 256
2022-02-28 10:10:25   tcp_queue_limit = 64
2022-02-28 10:10:25   real_hash_size = 256
2022-02-28 10:10:25   virtual_hash_size = 256
2022-02-28 10:10:25   client_connect_script = '[UNDEF]'
2022-02-28 10:10:25   learn_address_script = '[UNDEF]'
2022-02-28 10:10:25   client_disconnect_script = '[UNDEF]'
2022-02-28 10:10:25   client_config_dir = '[UNDEF]'
2022-02-28 10:10:25   ccd_exclusive = DISABLED
2022-02-28 10:10:25   tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2022-02-28 10:10:25   push_ifconfig_defined = DISABLED
2022-02-28 10:10:25   push_ifconfig_local = 0.0.0.0
2022-02-28 10:10:25   push_ifconfig_remote_netmask = 0.0.0.0
2022-02-28 10:10:25   push_ifconfig_ipv6_defined = DISABLED
2022-02-28 10:10:25   push_ifconfig_ipv6_local = ::/0
2022-02-28 10:10:25   push_ifconfig_ipv6_remote = ::
2022-02-28 10:10:25   enable_c2c = DISABLED
2022-02-28 10:10:25   duplicate_cn = DISABLED
2022-02-28 10:10:25   cf_max = 0
2022-02-28 10:10:25   cf_per = 0
2022-02-28 10:10:25   max_clients = 1024
2022-02-28 10:10:25   max_routes_per_client = 256
2022-02-28 10:10:25   auth_user_pass_verify_script = '[UNDEF]'
2022-02-28 10:10:25   auth_user_pass_verify_script_via_file = DISABLED
2022-02-28 10:10:25   auth_token_generate = DISABLED
2022-02-28 10:10:25   auth_token_lifetime = 0
2022-02-28 10:10:25   auth_token_secret_file = '[UNDEF]'
2022-02-28 10:10:25   port_share_host = '[UNDEF]'
2022-02-28 10:10:25   port_share_port = '[UNDEF]'
2022-02-28 10:10:25   vlan_tagging = DISABLED
2022-02-28 10:10:25   vlan_accept = all
2022-02-28 10:10:25   vlan_pvid = 1
2022-02-28 10:10:25   client = ENABLED
2022-02-28 10:10:25   pull = ENABLED
2022-02-28 10:10:25   auth_user_pass_file = '[UNDEF]'
2022-02-28 10:10:25 OpenVPN 2.6-icsopenvpn [git:icsopenvpn/v0.7.33-0-g8bc2287a] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 13 2022
2022-02-28 10:10:25 library versions: OpenSSL 3.0.1 14 Dec 2021, LZO 2.10
2022-02-28 10:10:25 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2022-02-28 10:10:25 MANAGEMENT: CMD 'version 3'
2022-02-28 10:10:25 MANAGEMENT: CMD 'hold release'
2022-02-28 10:10:25 MANAGEMENT: CMD 'bytecount 2'
2022-02-28 10:10:25 MANAGEMENT: CMD 'state on'
2022-02-28 10:10:25 MANAGEMENT: CMD 'proxy NONE'
2022-02-28 10:10:26 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-02-28 10:10:26 NOTE: --fast-io is disabled since we are not using UDP
2022-02-28 10:10:26 LZO compression initializing
2022-02-28 10:10:26 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 headroom:126 payload:1376 tailroom:126 ET:0 ]
2022-02-28 10:10:26 MANAGEMENT: >STATE:1646039426,RESOLVE,,,,,,
2022-02-28 10:10:26 Data Channel MTU parms [ mss_fix:1364 max_frag:0 tun_mtu:1500 headroom:136 payload:1736 tailroom:268 ET:0 ]
2022-02-28 10:10:26 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,auth SHA1,keysize 128,key-method 2,tls-client'
2022-02-28 10:10:26 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,auth SHA1,keysize 128,key-method 2,tls-server'
2022-02-28 10:10:26 TCP/UDP: Preserving recently used remote address: [AF_INET]********:1194
2022-02-28 10:10:26 Socket Buffers: R=[1048576->1048576] S=[1048576->1048576]
2022-02-28 10:10:26 Attempting to establish TCP connection with [AF_INET]********:1194
2022-02-28 10:10:26 MANAGEMENT: >STATE:1646039426,TCP_CONNECT,,,,,,
2022-02-28 10:10:26 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2022-02-28 10:10:26 TCP connection established with [AF_INET]********:1194
2022-02-28 10:10:26 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2022-02-28 10:10:26 Socket flags: TCP_NODELAY=1 succeeded
2022-02-28 10:10:26 TCP_CLIENT link local: (not bound)
2022-02-28 10:10:26 TCP_CLIENT link remote: [AF_INET]********:1194
2022-02-28 10:10:26 MANAGEMENT: >STATE:1646039426,WAIT,,,,,,
2022-02-28 10:10:26 MANAGEMENT: >STATE:1646039426,AUTH,,,,,,
2022-02-28 10:10:26 TLS: Initial packet from [AF_INET]********, sid=73b31f27 cad21429
2022-02-28 10:10:26 VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: *******
2022-02-28 10:10:26 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2022-02-28 10:10:26 TLS_ERROR: BIO read tls_read_plaintext error
2022-02-28 10:10:26 TLS Error: TLS object -> incoming plaintext read error
2022-02-28 10:10:26 TLS Error: TLS handshake failed
2022-02-28 10:10:26 Fatal TLS error (check_tls_errors_co), restarting
2022-02-28 10:10:26 TCP/UDP: Closing socket
2022-02-28 10:10:26 SIGUSR1[soft,tls-error] received, process restarting
2022-02-28 10:10:26 MANAGEMENT: >STATE:1646039426,RECONNECTING,tls-error,,,,,
2022-02-28 10:10:26 Waiting 2s seconds between connection attempt
2022-02-28 10:10:31 MANAGEMENT: CMD 'hold release'
2022-02-28 10:10:31 MANAGEMENT: CMD 'bytecount 2'
2022-02-28 10:10:31 MANAGEMENT: CMD 'state on'
2022-02-28 10:10:31 MANAGEMENT: CMD 'proxy NONE'
2022-02-28 10:10:32 MANAGEMENT: Client disconnected
2022-02-28 10:10:32 MGMT: Got unrecognized command>FATAL:All connections have been connect-retry-max (1) times unsuccessful, exiting
2022-02-28 10:10:32 All connections have been connect-retry-max (1) times unsuccessful, exiting
2022-02-28 10:10:32 Exiting due to fatal error
2022-02-28 10:10:32 Process exited with exit value 1

server

# /etc/openvpn: uname -a
Linux ******** 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux


server

# /etc/openvpn: ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether ********
inet ******** brd ******** scope global eth0
valid_lft forever preferred_lft forever
inet ******** brd ******** scope global eth0:34
valid_lft forever preferred_lft forever
inet6 ******** scope link
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.1.0.1 peer 10.1.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 ******** scope link stable-privacy
valid_lft forever preferred_lft forever


server

# /etc/openvpn: cat *******.conf
port 1194
proto tcp
;proto udp
;dev tap
dev tun
;dev-node MyTap
tls-version-min 1.0
<ca>
********
</ca>
cert server.crt
key server.key # This file should be kept secret
dh dh4096.pem
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt 3600
ifconfig 10.1.0.1 255.255.255.0
route 10.1.0.0 255.255.255.0
route 10.1.1.0 255.255.255.0
route 10.1.2.0 255.255.255.0
route 10.1.4.0 255.255.255.0
route 10.1.6.0 255.255.255.0
route 10.1.8.0 255.255.255.0
route 10.1.10.0 255.255.255.0
route 10.1.16.0 255.255.255.0
route 10.1.26.0 255.255.255.0
route 10.1.24.0 255.255.255.0
route 10.1.42.0 255.255.255.0
;server-bridge 10.1.0.4 255.255.255.0 10.1.0.50 10.1.0.100
push "route 10.1.0.0 255.255.255.0"
push "route 10.1.1.0 255.255.255.0"
push "route 10.1.2.0 255.255.255.0"
push "route 10.1.4.0 255.255.255.0"
push "route 10.1.6.0 255.255.255.0"
push "route 10.1.8.0 255.255.255.0"
push "route 10.1.10.0 255.255.255.0"
push "route 10.1.16.0 255.255.255.0"
push "route 10.1.26.0 255.255.255.0"
push "route 10.1.24.0 255.255.255.0"
push "route 10.1.42.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
client-config-dir ccd
client-connect /etc/openvpn/connect-tweak.sh
client-disconnect /etc/openvpn/disconnect.sh
learn-address ./dyndns.sh
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
log-append /var/log/openvpn.log
verb 4
;mute 20
management tunnel 42000 /etc/openvpn/password
tun-mtu 1500
--script-security 2
tls-timeout 120

Code: Select all

Mon Feb 28 10:10:27 2022 us=486683 MULTI: multi_create_instance called
Mon Feb 28 10:10:27 2022 us=486830 Re-using SSL/TLS context
Mon Feb 28 10:10:27 2022 us=486859 LZO compression initializing
Mon Feb 28 10:10:27 2022 us=486971 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Mon Feb 28 10:10:27 2022 us=487023 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Mon Feb 28 10:10:27 2022 us=487095 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mon Feb 28 10:10:27 2022 us=487115 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mon Feb 28 10:10:27 2022 us=487167 TCP connection established with [AF_INET]********:50810
Mon Feb 28 10:10:27 2022 us=487208 TCPv4_SERVER link local: (not bound)
Mon Feb 28 10:10:27 2022 us=487238 TCPv4_SERVER link remote: [AF_INET]********:50810
Mon Feb 28 10:10:27 2022 us=493693 ********:50810 TLS: Initial packet from [AF_INET]********:50810, sid=86bc1798 faebd185
Mon Feb 28 10:10:27 2022 us=578435 ********:50810 Connection reset, restarting [0]
Mon Feb 28 10:10:27 2022 us=578481 ********:50810 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mon Feb 28 10:10:27 2022 us=578554 TCP/UDP: Closing socket

thhart
OpenVpn Newbie
Posts: 7
Joined: Tue Oct 06, 2015 7:44 am

Re: Regression client connect poblem error:0A000086:SSL

Post by thhart » Fri Mar 04, 2022 9:29 am

It turned out the server is using SHA1 for its key, with a SHA256 signed key it is working, unfortunately this would break all other clients. I am wondering if and how it would be possible to support both maybe by signing the servers cert with both ca, but this looks like not supported.

Additional note, in OpenVpn for Android it is possible to configure the minimum TLS version to disabled to get it working also with older or weaker certs.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Regression client connect poblem error:0A000086:SSL

Post by TinCanTech » Fri Mar 04, 2022 2:23 pm

Openvpn can only do what X509 can do. You cannot arbitrarily make up new X509 rules.

Post Reply