OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

problem using intermediate CA and ECDSA curve cert

https://forums.openvpn.net/viewtopic.php?t=15309

Page 1 of 1

problem using intermediate CA and ECDSA curve cert

Posted: Fri Mar 14, 2014 10:03 pm
by jzy1688
Hi,
both of my server and client use certificate issuing by an intermediate CA and certificate use ecdsa-with-SHA1 as signature algorithm(prime256v1). The PKI may look like following:
ca.crt --- inter.crt --- server.crt
+-- client.crt
and I concatenated "ca.crt" and "inter.crt" in to a single file "ica.crt"

BTW, I'm using ubuntu 12.04+ openvpn 2.2.1 as the server

Client conf

Code: Select all

client
dev tun
proto udp
remote 172.31.212.113 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ica.crt
cert client.crt
key client.pem
comp-lzo
verb 6
Server Conf

Code: Select all

port 1194
proto udp
dev tun
ca ica.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.3.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.3.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 6
Here's the log from the client

Code: Select all

Fri Mar 14 22:56:25 2014 us=707076   pull = ENABLED
Fri Mar 14 22:56:25 2014 us=707084   auth_user_pass_file = '[UNDEF]'
Fri Mar 14 22:56:25 2014 us=707100 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Feb 27 2013
Fri Mar 14 22:56:25 2014 us=707224 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Mar 14 22:56:25 2014 us=707391 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Mar 14 22:56:25 2014 us=707928 WARNING: file 'client1.pem' is group or others accessible
Fri Mar 14 22:56:25 2014 us=708358 LZO compression initialized
Fri Mar 14 22:56:25 2014 us=708450 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Mar 14 22:56:25 2014 us=709467 Socket Buffers: R=[212992->131072] S=[212992->131072]
Fri Mar 14 22:56:25 2014 us=709502 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Mar 14 22:56:25 2014 us=709521 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Mar 14 22:56:25 2014 us=709531 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Mar 14 22:56:25 2014 us=709551 Local Options hash (VER=V4): '41690919'
Fri Mar 14 22:56:25 2014 us=709563 Expected Remote Options hash (VER=V4): '530fdded'
Fri Mar 14 22:56:25 2014 us=709579 UDPv4 link local: [undef]
Fri Mar 14 22:56:25 2014 us=709591 UDPv4 link remote: [AF_INET]172.31.212.113:1194
Fri Mar 14 22:56:25 2014 us=709625 UDPv4 WRITE [14] to [AF_INET]172.31.212.113:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Fri Mar 14 22:56:25 2014 us=716372 UDPv4 READ [26] from [AF_INET]172.31.212.113:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Fri Mar 14 22:56:25 2014 us=716414 TLS: Initial packet from [AF_INET]172.31.212.113:1194, sid=02dfd891 6ae26e6a
Fri Mar 14 22:56:25 2014 us=716469 UDPv4 WRITE [22] to [AF_INET]172.31.212.113:1194: P_ACK_V1 kid=0 [ 0 ]
Fri Mar 14 22:56:25 2014 us=716601 UDPv4 WRITE [114] to [AF_INET]172.31.212.113:1194: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Fri Mar 14 22:56:25 2014 us=716665 UDPv4 WRITE [114] to [AF_INET]172.31.212.113:1194: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=100
Fri Mar 14 22:56:25 2014 us=716882 UDPv4 WRITE [39] to [AF_INET]172.31.212.113:1194: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=25
Fri Mar 14 22:56:25 2014 us=721382 UDPv4 READ [22] from [AF_INET]172.31.212.113:1194: P_ACK_V1 kid=0 [ 1 ]
Fri Mar 14 22:56:25 2014 us=721588 UDPv4 READ [22] from [AF_INET]172.31.212.113:1194: P_ACK_V1 kid=0 [ 2 ]

Server log

Code: Select all

Fri Mar 14 22:56:26 2014 us=3942 MULTI: multi_create_instance called
Fri Mar 14 22:56:26 2014 us=4117 130.237.37.235:62039 Re-using SSL/TLS context
Fri Mar 14 22:56:26 2014 us=4183 130.237.37.235:62039 LZO compression initialized
Fri Mar 14 22:56:26 2014 us=4326 130.237.37.235:62039 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Mar 14 22:56:26 2014 us=4358 130.237.37.235:62039 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Mar 14 22:56:26 2014 us=4423 130.237.37.235:62039 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Mar 14 22:56:26 2014 us=4445 130.237.37.235:62039 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Mar 14 22:56:26 2014 us=4647 130.237.37.235:62039 Local Options hash (VER=V4): '530fdded'
Fri Mar 14 22:56:26 2014 us=4690 130.237.37.235:62039 Expected Remote Options hash (VER=V4): '41690919'
Fri Mar 14 22:56:26 2014 us=5100 130.237.37.235:62039 UDPv4 READ [14] from [AF_INET]130.237.37.235:62039: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Fri Mar 14 22:56:26 2014 us=5160 130.237.37.235:62039 TLS: Initial packet from [AF_INET]130.237.37.235:62039, sid=a8cc6fb2 3c20109e
Fri Mar 14 22:56:26 2014 us=5218 130.237.37.235:62039 UDPv4 WRITE [26] to [AF_INET]130.237.37.235:62039: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Fri Mar 14 22:56:26 2014 us=9944 130.237.37.235:62039 UDPv4 READ [22] from [AF_INET]130.237.37.235:62039: P_ACK_V1 kid=0 [ 0 ]
Fri Mar 14 22:56:26 2014 us=10265 130.237.37.235:62039 UDPv4 READ [114] from [AF_INET]130.237.37.235:62039: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Fri Mar 14 22:56:26 2014 us=10336 130.237.37.235:62039 UDPv4 WRITE [22] to [AF_INET]130.237.37.235:62039: P_ACK_V1 kid=0 [ 1 ]
Fri Mar 14 22:56:26 2014 us=10860 130.237.37.235:62039 UDPv4 READ [114] from [AF_INET]130.237.37.235:62039: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=100
Fri Mar 14 22:56:26 2014 us=10949 130.237.37.235:62039 UDPv4 WRITE [22] to [AF_INET]130.237.37.235:62039: P_ACK_V1 kid=0 [ 2 ]
Fri Mar 14 22:56:26 2014 us=11418 130.237.37.235:62039 UDPv4 READ [39] from [AF_INET]130.237.37.235:62039: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=25
Fri Mar 14 22:56:26 2014 us=11624 130.237.37.235:62039 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Fri Mar 14 22:56:26 2014 us=11659 130.237.37.235:62039 TLS Error: TLS object -> incoming plaintext read error
Fri Mar 14 22:56:26 2014 us=11679 130.237.37.235:62039 TLS Error: TLS handshake failed
Fri Mar 14 22:56:26 2014 us=12018 130.237.37.235:62039 SIGUSR1[soft,tls-error] received, client-instance restarting

Re: problem using intermediate CA and ECDSA curve cert

Posted: Mon Mar 17, 2014 6:41 am
by maikcat
i dont think that elliptic curves is supported (yet).

Michael.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/