Connection fails when using certificate file, but works when unified

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
Morac
OpenVpn Newbie
Posts: 6
Joined: Fri Oct 04, 2013 2:45 pm

Connection fails when using certificate file, but works when unified

Post by Morac » Fri Mar 02, 2018 5:22 pm

I'm using the iOS OpenVPN 1.2.9 client with an OpenVPN 2.4.4 server. I'm using EC keys. Everything works fine if I use the unified key structure. I can connect to my server without issues, but if I remove the cert and key sections and import my PKCS#12 file I get the following error trying to connect.

EVENT: EPKI_ERROR 69646e740000000000000077 : external_pki_error: cannot sign data, status=-50 [ERR]

I'm at a loss here since I followed the directions to a tee when generating that file and the certifcate and key are obviously valid since they work if added to the .opvn file, but I can't get the certificate to work. An older .ovpn using that uses a SHA1 signed external certificate does work, but not the EC one. It seems to be a client problem since the server just reports the connection resets.

Anyone have any idea what's wrong here?

Here's the command I used to generate the certificate file:

Code: Select all

openssl pkcs12 -export -in cert -inkey key -certfile ca -name MyClient -out client.ovpn12
Server config:

Code: Select all

daemon ovpn-server2
topology subnet
server 10.8.0.0 255.255.255.0
proto tcp-server
port 1194
dev tun22
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
compress lz4
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
duplicate-cn
push "dhcp-option DNS 192.168.1.1"
tls-auth static.key 0
ca ca.crt
dh none
cert server.crt
key server.key
status-version 2
status status 5
Client config:

Code: Select all

client
dev tun
proto tcp-client
remote mkraft.homeip.net 1194
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
compress lz4
keepalive 15 60
remote-cert-tls server
<ca>
--- ca cert ----
</ca>
<tls-auth>
--- static key ----
</tls-auth>
key-direction 1
resolv-retry infinite
nobind
Here's the connection log on the client side (server just reports a reset connection):

Code: Select all

​2018-03-02 11:58:49 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28
2018-03-02 11:58:49 Keychain Cert Extraction: 1 certificate(s) found
2018-03-02 11:58:49 Frame=512/2048/512 mssfix-ctrl=1250
2018-03-02 11:58:49 UNUSED OPTIONS
5 [ncp-ciphers] [AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC]
12 [resolv-retry] [infinite]
13 [nobind]
2018-03-02 11:58:49 EVENT: RESOLVE
2018-03-02 11:58:49 Contacting [73.199.25.51]:1194/TCP via TCP
2018-03-02 11:58:49 EVENT: WAIT
2018-03-02 11:58:49 Connecting to [mkraft.homeip.net]:1194 (73.199.25.51) via TCPv4
2018-03-02 11:58:49 EVENT: CONNECTING
2018-03-02 11:58:49 Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2018-03-02 11:58:49 Creds: UsernameEmpty/PasswordEmpty
2018-03-02 11:58:49 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.9-0
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZ4=1
IV_AUTO_SESS=1
IV_BS64DL=1
2018-03-02 11:58:49 VERIFY OK : depth=1
cert. version : 3
serial number : 01
issuer name : CN=OpenVPN_CA
subject name : CN=OpenVPN_CA
issued on : 2018-02-26 16:27:00
expires on : 2028-02-26 16:27:00
signed using : ECDSA with SHA256
EC key size : 384 bits
basic constraints : CA=true
cert. type : SSL CA, Email CA, Object Signing CA
key usage : Key Cert Sign, CRL Sign
2018-03-02 11:58:49 VERIFY OK : depth=0
cert. version : 3
serial number : 02
issuer name : CN=OpenVPN_CA
subject name : CN=OpenVPN_Server
issued on : 2018-02-26 16:34:00
expires on : 9999-12-31 23:59:59
signed using : ECDSA with SHA256
EC key size : 384 bits
key usage : Digital Signature, Key Encipherment, Key Agreement
ext key usage : TLS Web Server Authentication
2018-03-02 11:58:49 EVENT: EPKI_ERROR 69646e740000000000000077 : external_pki_error: cannot sign data, status=-50 [ERR]
2018-03-02 11:58:49 Raw stats on disconnect:
BYTES_IN : 1418
BYTES_OUT : 296
PACKETS_IN : 3
PACKETS_OUT : 2
2018-03-02 11:58:49 Performance stats on disconnect:
CPU usage (microseconds): 66359
Network bytes per CPU second: 25829
Tunnel bytes per CPU second: 0
2018-03-02 11:58:49 MbedTLSContext::epki_sign: ssl_external_pki: MbedTLS: could not obtain signature
2018-03-02 11:58:49 Client exception in transport_recv_excode: mbed TLS: SSL read error : RSA - Bad input parameters to function
2018-03-02 11:58:49 EVENT: DISCONNECTED
2018-03-02 11:58:49 Raw stats on disconnect:
BYTES_IN : 1418
BYTES_OUT : 296
PACKETS_IN : 3
PACKETS_OUT : 2
SSL_ERROR : 1
EPKI_SIGN_ERROR : 1
2018-03-02 11:58:49 Performance stats on disconnect:
CPU usage (microseconds): 66359
Network bytes per CPU second: 25829
Tunnel bytes per CPU second: 0

Morac
OpenVpn Newbie
Posts: 6
Joined: Fri Oct 04, 2013 2:45 pm

Re: Connection fails when using certificate file, but works when unified

Post by Morac » Fri Mar 02, 2018 5:35 pm


stvs
OpenVPN User
Posts: 30
Joined: Fri Oct 05, 2012 11:32 pm

Re: Connection fails when using certificate file, but works when unified

Post by stvs » Sun Nov 06, 2022 3:00 am

I also observe this exact issue with ed25519 keys and .ovpn12 pkcs12 files.

Side note that openssl3 generated pkcs12 files do not work with iOS or macOS keychains: https://developer.apple.com/forums/thread/697030

One must use openssl-1.1 generated pkcs12, e.g.

Code: Select all

EASYRSA_OPENSSL=openssl-1.1 easyrsa export-p12 myclient
mv pki/private/myclient.{p,ovpn}12
But then myclient.ovpn12 will fail as above.

Post Reply