Hi...
Being aware that using 'tls-remote'(DEPRECATED) for verification should now be replaced with 'verify-x509-name' for 2.2.2+(I have 2.3.2 installed) I am having trouble connecting and receive the following error:-
VERIFY OK: depth=1, C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=GoldenFrog-Inc CA, emailAddress=admin@goldenfrog.com
VERIFY X509NAME ERROR: C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=uk1.vpn.giganews.com, emailAddress=admin@goldenfrog.com, must be uk1.vpn.giganews.com
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I am also aware this may be a 'third-party' issue with 'verify-x509-name'... Of course tls-remote is still functional but with the 'DEPRECATED' warning.
I don't really wish to omit this verification from my configuration.
I would prefer to stay using the Openvpn client as I always have and not use the VyprVPN installer for my giganews VPN connection.
I've setup my config as follows...
client
dev tun
proto udp
remote uk1.vpn.giganews.com 443(doesn't like 1194)
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.vyprvpn.com.crt
verify-x509-name(tls-remote) uk1.vpn.giganews.com
auth-user-pass
auth-nocache
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
How should I go about fixing this?
Thanx...
Btw, should I be using port 1194(I receive warnings when I do)?
tls-remote issue...
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
dougs
- OpenVpn Newbie
- Posts: 3
- Joined: Fri Sep 06, 2013 10:28 pm
Re: tls-remote issue...
According to this site:
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
your verify-x509-name command needs to be in one of the three formats depending on which type you wish to use. In your case it will be one of the following:
If you have more than one OpenVPN server whose hostnames have almost common names (i.e. uk1, uk2, uk3, etc.) and are allowing clients access to all of them:
I strongly suggest you search using the string '--verify-x509-name name type' within the site listed above to gain additional information.
I ran into this exact issue when upgrading to OpenVPN 2.3.2 client.
~Doug
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
your verify-x509-name command needs to be in one of the three formats depending on which type you wish to use. In your case it will be one of the following:
Code: Select all
verify-x509-name 'C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=uk1.vpn.giganews.com'
Code: Select all
verify-x509-name uk1.vpn.giganews.com name
Code: Select all
verify-x509-name uk name-prefix
I ran into this exact issue when upgrading to OpenVPN 2.3.2 client.
~Doug
-
deanone
- OpenVpn Newbie
- Posts: 3
- Joined: Fri Jun 28, 2013 12:00 am
Re: tls-remote issue...
Thank you Doug...
I knew it was something simple.
It seems my omission of 'name' was causing the issue, all is now well...
Will investigate this further as per your suggestion.
Thanx again.
I knew it was something simple.
It seems my omission of 'name' was causing the issue, all is now well...
Will investigate this further as per your suggestion.
Thanx again.