Unable to connect to OpenVPN iPCop 2-TLS_ERROR: BIO read tls

bwarner@servicead-in.com · Post by **bwarner@servicead-in.com** » Sun Oct 26, 2014 4:00 pm

I think I understand finally what is happening, but want to make sure this is the case and see if anyone has a way around this. I am trying to connect an iOS device (version 8.1) to connect to OpenVPN that is built into iPCop 2.1.5. My ovpn file looks like:

#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1400
remote <remote doman name> 1194
#pkcs12 <XXXXXX>.p12
basicConstraints:CA:TRUE
<ca>

Bag Attributes
friendlyName: ......
localKeyID: .........
subject=/C=US/ST=TX/O=....../CN=.....
issuer=/C=US/O=....../CN=..... CA
-----BEGIN CERTIFICATE-----
.................
-----END CERTIFICATE-----
Bag Attributes
friendlyName: ....... CA
subject=/C=US/O=....../CN=....... CA
issuer=/C=US/O=......../CN=........ CA
-----BEGIN CERTIFICATE-----
.........
-----END CERTIFICATE-----

</ca>
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server

As you can see the first problem I had was that I needed to remove the reference to the .p12 cert file and paste in the certs between the <ca> tags. That got me a lot further.

Using this same opvn and p12 file I can connect from my PC using both the OpenVPN client and Sopho's client with no issues to this iPCop router.

The log in on the server side looks like this:

10:43:57 openvpnserver[11483] .......:59404 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
10:43:57 openvpnserver[11483] .......:59404 TLS: Initial packet from [AF_INET].......:59404, sid=c05c1fe8 a33d84c1
10:43:58 openvpnserver[11483] .......:59404 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
10:43:58 openvpnserver[11483] .......:59404 TLS Error: TLS object -> incoming plaintext read error
10:43:58 openvpnserver[11483] .......:59404 TLS Error: TLS handshake failed
10:43:58 openvpnserver[11483] .......:59404 SIGUSR1[soft,tls-error] received, client-instance restarting

Where the main error appears to be: TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL

Searching for this error on the web I found several references to this error related to using encrypted certificates and how some people have used unencrypted with some success. I am not seeing this as an option with the OpenVPN on iPCop.

The client side log shows:

2014-10-26 10:43:58 VERIFY OK: depth=1
cert. version : 3
serial number : .......
issuer name : C=US, O=......., CN=.......CA
subject name : C=US, O=......., CN=.......CA
issued on : 2014-05-23 21:14:01
expires on : 2033-05-23 21:14:01
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=true

2014-10-26 10:43:58 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : C=US, O=......., CN=....... CA
subject name : C=US, O=......., CN=.......
issued on : 2014-05-23 21:14:01
expires on : 2033-05-23 21:14:01
signed using : RSA with MD5
RSA key size : 1024 bits
basic constraints : CA=false
cert. type : SSL Server

2014-10-26 10:44:15 EVENT: CONNECTION_TIMEOUT [ERR]
2014-10-26 10:44:15 EVENT: DISCONNECTED
2014-10-26 10:44:15 Raw stats on disconnect:
BYTES_IN : 5582
BYTES_OUT : 8576
PACKETS_IN : 52
PACKETS_OUT : 81
KEEPALIVE_TIMEOUT : 1
CONNECTION_TIMEOUT : 1
N_RECONNECT : 1
2014-10-26 10:44:15 Performance stats on disconnect:
CPU usage (microseconds): 117634
Network bytes per CPU second: 120356
Tunnel bytes per CPU second: 0
2014-10-26 10:44:15 EVENT: DISCONNECT_PENDING
2014-10-26 10:44:15 ----- OpenVPN Stop -----

Does anyone have any ideas how to make this work?