Incorrect processing of <ca></ca> contents

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
fufel
OpenVpn Newbie
Posts: 5
Joined: Wed Jun 26, 2013 11:58 am

Incorrect processing of <ca></ca> contents

Post by fufel » Mon Mar 30, 2015 7:39 pm

Hello,
OpenVPN Connect doesn't extract certificate chains in <ca></ca>. Unified form of configuration files is used.
We have this config:

Code: Select all

remote my.domain.com 443
client
dev tun
proto tcp
persist-remote-ip
nobind
persist-key
persist-tun
cipher AES-256-CBC
remote-cert-tls server
redirect-gateway def1
tls-timeout 4
comp-lzo
verb 3
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
..
-----END RSA PRIVATE KEY-----
</key>
When trying to connect with OpenVPN Connect on iOS and Android we have the following error on client side:

Code: Select all

2015-12-12 23:23:23 TCP recv EOF
2015-12-12 23:23:23 Transport Error: Transport error on 'my.domain.com: NETWORK_EOF_ERROR
on server side:

Code: Select all

2015-12-12 23:23:23 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=2323
2015-12-12 23:23:23 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
This config file work perfectly on OpenVPN GUI and OpenVPN for Android. If we issue client certificate without intermediate certificate, then OpenVPN Connect works fine.
Are you going to fix this problem? Or is there any trick with intermediate certificates?
Top
Post Reply

Return to “OpenVPN Connect (iOS)”