Transport Error: PolarSSL: SSL read error : ... Fix?

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
DarkStaR
OpenVpn Newbie
Posts: 2
Joined: Wed Aug 28, 2013 8:22 pm

Transport Error: PolarSSL: SSL read error : ... Fix?

Post by DarkStaR » Wed Aug 28, 2013 8:25 pm

Hey i tried to setup the OpenVPN over my synology NAS...
After the setup i tried to connect via my IPhone 4S and i got an error...

Code: Select all

2013-08-28 21:48:36 Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
2013-08-28 21:48:36 EVENT: CERT_VERIFY_FAIL PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed [ERR]
2013-08-28 21:48:36 EVENT: DISCONNECTED
2013-08-28 21:48:36 Raw stats on disconnect:
  BYTES_IN : 2682
  BYTES_OUT : 590
  PACKETS_IN : 25
  PACKETS_OUT : 25
  SSL_ERROR : 1
  CERT_VERIFY_FAIL : 1
2013-08-28 21:48:36 Performance stats on disconnect:
  CPU usage (microseconds): 42977
  Network bytes per CPU second: 76133
  Tunnel bytes per CPU second: 0
2013-08-28 21:48:36 ----- OpenVPN Stop -----
2013-08-28 21:48:36 EVENT: DISCONNECT_PENDING
How can i fix it or is this the CA Path Length 0 Bug...?
Top
lolex
OpenVPN Power User
Posts: 52
Joined: Sun Jun 05, 2011 7:50 pm

Re: Transport Error: PolarSSL: SSL read error : ... Fix?

Post by lolex » Fri Aug 30, 2013 8:49 am

DarkStaR wrote:How can i fix it or is this the CA Path Length 0 Bug...?
You can find this out yourself if you have openssl running somewhere. Export your CA and feed it to openssl:
"openssl x509 -in yourCAfile.crt -noout -text"

If the output contains "pathlen:0" then youre affected by this bug. If not then it's another problem.
Top
DarkStaR
OpenVpn Newbie
Posts: 2
Joined: Wed Aug 28, 2013 8:22 pm

Re: Transport Error: PolarSSL: SSL read error : ... Fix?

Post by DarkStaR » Sat Aug 31, 2013 1:08 pm

I get this if i use your command:

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8b:b5:6a:eb:a4:9a:bc:a4
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, ST=NRW, L=TOWN, O=Dei Mudda sei Gsicht, OU=Leitung, C        N=Dei Mudda sei Gsicht/emailAddress=EMAIL
        Validity
            Not Before: Mar 15 23:07:37 2013 GMT
            Not After : Mar 13 23:07:37 2023 GMT
        Subject: C=DE, ST=NRW, L=TOWN, O=Dei Mudda sei Gsicht, OU=Leitung,         CN=Dei Mudda sei Gsicht/emailAddress=EMAIL
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:bf:14:5b:70:44:06:65:ab:4c:c5:8e:80:1f:b9:
                    75:23:01:8f:8e:d8:a8:69:3b:ee:5a:ab:3b:c0:bb:
                    d8:b7:5c:40:da:cb:9d:03:2a:ac:89:a2:e2:28:a4:
                    7c:42:cb:52:d6:2d:77:e7:a7:f8:ff:8d:33:26:b6:
                    71:fc:27:e3:a5:52:6c:84:9f:d2:a4:fd:00:0d:a4:
                    27:d9:a6:29:cb:89:65:bc:44:12:d3:f6:d6:f0:79:
                    f0:f5:f7:6f:c7:52:c4:5c:66:02:63:85:4c:85:09:
                    03:bd:90:ac:5b:8f:53:cd:d0:63:85:59:50:68:39:
                    85:f1:52:6e:69:87:44:a6:41:b2:38:b5:8e:1d:6a:
                    dc:11:8e:5e:12:0a:73:f3:ca:ce:8c:ff:34:25:3c:
                    93:3f:8c:e7:11:e1:50:52:ba:dd:2c:69:07:78:6e:
                    c0:b9:5c:08:e2:4f:28:ce:e8:a9:d5:d2:0b:d4:d4:
                    72:b7:7c:6d:8d:d9:b0:68:88:5a:ff:d0:ef:7f:32:
                    3b:f2:20:5e:87:e4:34:ef:51:8d:72:8d:b6:d7:68:
                    51:f2:04:1a:23:f4:cf:bd:08:4e:fd:58:d1:26:3d:
                    57:ae:86:a0:25:70:cc:33:06:09:93:1d:a4:09:41:
                    e9:3f:4f:8b:7d:3b:b9:fd:08:ef:29:2e:0f:59:a0:
                    11:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                email:EMAIL
            X509v3 Basic Constraints:
                CA:TRUE, pathlen:0
            Netscape Comment:
                mod_ssl generated custom CA certificate
            Netscape Cert Type:
                SSL CA
    Signature Algorithm: sha1WithRSAEncryption
        1f:b1:e5:eb:5d:f9:18:fc:bf:89:fc:2a:eb:e4:0e:81:d5:0f:
        a6:f4:51:15:cc:e8:2b:c5:fb:a0:40:bb:e6:61:eb:64:5a:11:
        95:62:d5:49:90:c6:64:cb:04:eb:ca:35:8d:75:ee:15:32:71:
        6f:87:fc:25:f7:e5:bb:a2:bf:ab:85:6b:78:ba:20:cb:e6:90:
        a4:0e:c2:25:f9:90:ea:83:82:af:8f:ad:41:98:6b:1b:79:ee:
        ae:88:77:30:6e:92:b6:87:59:d3:f4:8f:16:30:eb:14:1a:98:
        4e:29:7e:04:e4:4c:cd:cc:dc:ee:0c:6a:24:b6:8c:13:36:bb:
        bc:15:47:c9:70:d4:d0:68:b7:0b:f1:f3:7e:b3:bb:27:29:6f:
        51:57:e8:56:10:2c:45:fc:f2:af:76:a7:3b:b0:0e:45:4a:61:
        3d:2a:ed:3d:f2:bf:f1:f7:7e:2b:45:a8:ec:cc:7f:20:8d:d2:
        44:27:02:26:dc:91:19:74:b3:30:06:d0:f6:79:14:18:0d:95:
        cf:3d:10:f0:55:62:e3:4c:e5:2e:5b:50:4a:59:eb:aa:8a:f2:
        4f:e4:d1:5d:2c:c6:da:ba:25:40:b3:00:f1:e4:f4:51:54:e3:
        07:3a:56:25:51:6a:fc:18:5f:3b:38:b7:d1:78:71:fa:45:2e:
        ef:3d:ed:25
Top
lolex
OpenVPN Power User
Posts: 52
Joined: Sun Jun 05, 2011 7:50 pm

Re: Transport Error: PolarSSL: SSL read error : ... Fix?

Post by lolex » Mon Sep 02, 2013 8:02 am

Your organization has an interesting name. Anyway, your certificate is indeed affected by the path length bug:
X509v3 Basic Constraints:
CA:TRUE, pathlen:0
Top
Post Reply

Return to “OpenVPN Connect (iOS)”