PolarSSL error parsing config private key

[mixology]

I have two OpenVPNs.
With both ovpn configuration files everything works flawlessly if I use your Windows client.
When I use them on my Android phone with your official app, the first VPN works and when I click on connect, after entering my private key password, I can access my VPN. With the second VPN, your Android client doesn't ask me for a password (which exists and your Windows client asks for it) and the following message appears when I try to connect:
OpenVPN core error: PolarSSL: error parsing config private key: X509 - Invalid RSA key tag or value: ASN1 - ASN1 tag was of an unexptected value.

If I use the unofficial OpenVPN app, OpenVPN for Android by Arne Schwabe, it works flawlessly.

Can you help me?

[mixology]

More infos:

Configuration files are identical:

client
dev tun
proto udp
remote xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cert.crt
key key.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3

The first VPN, which works on Android, is the official Debian 6 package:
OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 20 2012

The second, which doesn't work on Android, is the official Debian 7 package built on RasperryPi
OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 28 2012

The other difference is that the latest one has a 2048 bit long DH parameters.

[jamesyonan]

Which version of the Connect client are you using on Android?

[mixology]

I've got version 1.1.11 build 44, which I think it's the latest.
Lately I upgrade the first VPN machine to Debian 7.0. Now the version is OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 23 2012
Your Android client keeps on working with this VPN, but not with the second one which uses 2048 bit long DH parameters.

[pjbakker]

PolarSSL maintainer here..

This indicates that the error you run into has to do with the private key format:

PolarSSL: error parsing config private key: X509 - Invalid RSA key tag or value: ASN1 - ASN1 tag was of an unexptected value.

Can be. OpenSSL or Windows sometimes save private keys in weird forms and PolarSSL can definitely not parse all of them.

Are you able to send a sample to us (p.j.bakker at polarssl dot org)? Don't send us one you want to keep secret!!
Then we can take a look at the format and see if we can make PolarSSL parse it better!

[mixology]

Thanks for the hint.

I checked the two different keys and I noticed that the first one begins with
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,863780B458E9B7AC

while the second begins with
-----BEGIN ENCRYPTED PRIVATE KEY-----

So I did what someone suggested in another post and converted it into pkcs12
openssl pkcs12 -export -in testuser.crt -inkey testuser.key -certfile ca.crt -name TestUser -out testuser.p12

Now it works!

[vitotol]

I also had the same problem when I am trying to connect using OpenVPN Connect app on my android device.
On PC is working lke a charm.

My ovpn file looks like:
client
...
ca ca.crt
cert client.crt
key client.key

I ran the below command:

openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name TestUser -out mobclient.p12

now what changes should I apply on my ovpn file?
what should I define for ca cert and key?

Sorry for all this questions but I just started using openvpn

[mixology]

Just delete the old VPN settings on your Android and import settings from the mobclient.p12 file you created.

[vitotol]

Ok thank you for your help. It read the SSL with no errors but sth else came up this time.
The TAP tunnels are not supported by OpenVPN api for openvpn connect android client