TLS handshake fails after setting up keys

henryarroyo · Post by **henryarroyo** » Sun Jul 12, 2015 10:08 am

I'm trying to set up OpenVPN on dd-wrt using a windows machine to set up the certs on the client side. I go through the following to set up the certs:

Code: Select all

init-config
clean-all
build-ca
build-key
build-key-server
build-dh

I verified the certs and got an okay on them

Code: Select all

c:\Program Files\OpenVPN\config>openssl verify -CAfile ca.crt router.crt
WARNING: can't open config file: /etc/ssl/openssl.cnf
router.crt: OK

c:\Program Files\OpenVPN\config>openssl verify -CAfile ca.crt ace.crt
WARNING: can't open config file: /etc/ssl/openssl.cnf
ace.crt: OK

I coped the ca.crt ace.crt (client cert) over to the config folder, but when I try to connect to using my client cert, TLS fails as follows

Code: Select all

Sat Jul 11 23:43:35 2015 us=567623 Current Parameter Settings:
Sat Jul 11 23:43:35 2015 us=568623   config = 'client.ovpn'
Sat Jul 11 23:43:35 2015 us=568623   mode = 0
Sat Jul 11 23:43:35 2015 us=568623   show_ciphers = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   show_digests = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   show_engines = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   genkey = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   key_pass_file = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   show_tls_ciphers = DISABLED
Sat Jul 11 23:43:35 2015 us=568623 Connection profiles [default]:
Sat Jul 11 23:43:35 2015 us=568623   proto = tcp-client
Sat Jul 11 23:43:35 2015 us=568623   local = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   local_port = 0
Sat Jul 11 23:43:35 2015 us=568623   remote = 'gateway.arroyo.house'
Sat Jul 11 23:43:35 2015 us=568623   remote_port = 1194
Sat Jul 11 23:43:35 2015 us=568623   remote_float = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   bind_defined = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   bind_local = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   connect_retry_seconds = 5
Sat Jul 11 23:43:35 2015 us=568623   connect_timeout = 10
Sat Jul 11 23:43:35 2015 us=568623   connect_retry_max = 0
Sat Jul 11 23:43:35 2015 us=568623   socks_proxy_server = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   socks_proxy_port = 0
Sat Jul 11 23:43:35 2015 us=568623   socks_proxy_retry = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   tun_mtu = 1500
Sat Jul 11 23:43:35 2015 us=568623   tun_mtu_defined = ENABLED
Sat Jul 11 23:43:35 2015 us=568623   link_mtu = 1500
Sat Jul 11 23:43:35 2015 us=568623   link_mtu_defined = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   tun_mtu_extra = 0
Sat Jul 11 23:43:35 2015 us=568623   tun_mtu_extra_defined = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   mtu_discover_type = -1
Sat Jul 11 23:43:35 2015 us=568623   fragment = 0
Sat Jul 11 23:43:35 2015 us=568623   mssfix = 1450
Sat Jul 11 23:43:35 2015 us=568623   explicit_exit_notification = 0
Sat Jul 11 23:43:35 2015 us=568623 Connection profiles END
Sat Jul 11 23:43:35 2015 us=568623   remote_random = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   ipchange = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   dev = 'tun'
Sat Jul 11 23:43:35 2015 us=568623   dev_type = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   dev_node = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   lladdr = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   topology = 1
Sat Jul 11 23:43:35 2015 us=568623   tun_ipv6 = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   ifconfig_local = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   ifconfig_remote_netmask = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   ifconfig_noexec = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   ifconfig_nowarn = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   ifconfig_ipv6_local = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   ifconfig_ipv6_netbits = 0
Sat Jul 11 23:43:35 2015 us=568623   ifconfig_ipv6_remote = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   shaper = 0
Sat Jul 11 23:43:35 2015 us=568623   mtu_test = 0
Sat Jul 11 23:43:35 2015 us=568623   mlock = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   keepalive_ping = 0
Sat Jul 11 23:43:35 2015 us=568623   keepalive_timeout = 0
Sat Jul 11 23:43:35 2015 us=568623   inactivity_timeout = 0
Sat Jul 11 23:43:35 2015 us=568623   ping_send_timeout = 0
Sat Jul 11 23:43:35 2015 us=568623   ping_rec_timeout = 0
Sat Jul 11 23:43:35 2015 us=568623   ping_rec_timeout_action = 0
Sat Jul 11 23:43:35 2015 us=568623   ping_timer_remote = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   remap_sigusr1 = 0
Sat Jul 11 23:43:35 2015 us=568623   persist_tun = ENABLED
Sat Jul 11 23:43:35 2015 us=568623   persist_local_ip = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   persist_remote_ip = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   persist_key = ENABLED
Sat Jul 11 23:43:35 2015 us=568623   passtos = DISABLED
Sat Jul 11 23:43:35 2015 us=568623   resolve_retry_seconds = 1000000000
Sat Jul 11 23:43:35 2015 us=568623   username = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   groupname = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   chroot_dir = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   cd_dir = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   writepid = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   up_script = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   down_script = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=568623   down_pre = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   up_restart = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   up_delay = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   daemon = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   inetd = 0
Sat Jul 11 23:43:35 2015 us=569623   log = ENABLED
Sat Jul 11 23:43:35 2015 us=569623   suppress_timestamps = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   nice = 0
Sat Jul 11 23:43:35 2015 us=569623   verbosity = 4
Sat Jul 11 23:43:35 2015 us=569623   mute = 0
Sat Jul 11 23:43:35 2015 us=569623   status_file = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   status_file_version = 1
Sat Jul 11 23:43:35 2015 us=569623   status_file_update_freq = 60
Sat Jul 11 23:43:35 2015 us=569623   occ = ENABLED
Sat Jul 11 23:43:35 2015 us=569623   rcvbuf = 0
Sat Jul 11 23:43:35 2015 us=569623   sndbuf = 0
Sat Jul 11 23:43:35 2015 us=569623   sockflags = 0
Sat Jul 11 23:43:35 2015 us=569623   fast_io = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   lzo = 7
Sat Jul 11 23:43:35 2015 us=569623   route_script = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   route_default_gateway = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   route_default_metric = 0
Sat Jul 11 23:43:35 2015 us=569623   route_noexec = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   route_delay = 5
Sat Jul 11 23:43:35 2015 us=569623   route_delay_window = 30
Sat Jul 11 23:43:35 2015 us=569623   route_delay_defined = ENABLED
Sat Jul 11 23:43:35 2015 us=569623   route_nopull = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   route_gateway_via_dhcp = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   max_routes = 100
Sat Jul 11 23:43:35 2015 us=569623   allow_pull_fqdn = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   management_addr = '127.0.0.1'
Sat Jul 11 23:43:35 2015 us=569623   management_port = 25340
Sat Jul 11 23:43:35 2015 us=569623   management_user_pass = 'stdin'
Sat Jul 11 23:43:35 2015 us=569623   management_log_history_cache = 250
Sat Jul 11 23:43:35 2015 us=569623   management_echo_buffer_size = 100
Sat Jul 11 23:43:35 2015 us=569623   management_write_peer_info_file = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   management_client_user = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   management_client_group = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   management_flags = 6
Sat Jul 11 23:43:35 2015 us=569623   shared_secret_file = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   key_direction = 0
Sat Jul 11 23:43:35 2015 us=569623   ciphername_defined = ENABLED
Sat Jul 11 23:43:35 2015 us=569623   ciphername = 'AES-128-CBC'
Sat Jul 11 23:43:35 2015 us=569623   authname_defined = ENABLED
Sat Jul 11 23:43:35 2015 us=569623   authname = 'SHA1'
Sat Jul 11 23:43:35 2015 us=569623   prng_hash = 'SHA1'
Sat Jul 11 23:43:35 2015 us=569623   prng_nonce_secret_len = 16
Sat Jul 11 23:43:35 2015 us=569623   keysize = 0
Sat Jul 11 23:43:35 2015 us=569623   engine = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   replay = ENABLED
Sat Jul 11 23:43:35 2015 us=569623   mute_replay_warnings = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   replay_window = 64
Sat Jul 11 23:43:35 2015 us=569623   replay_time = 15
Sat Jul 11 23:43:35 2015 us=569623   packet_id_file = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   use_iv = ENABLED
Sat Jul 11 23:43:35 2015 us=569623   test_crypto = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   tls_server = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   tls_client = ENABLED
Sat Jul 11 23:43:35 2015 us=569623   key_method = 2
Sat Jul 11 23:43:35 2015 us=569623   ca_file = 'ca.crt'
Sat Jul 11 23:43:35 2015 us=569623   ca_path = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   dh_file = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   cert_file = 'ace.crt'
Sat Jul 11 23:43:35 2015 us=569623   priv_key_file = 'ace.key'
Sat Jul 11 23:43:35 2015 us=569623   pkcs12_file = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   cryptoapi_cert = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   cipher_list = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   tls_verify = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   tls_export_cert = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   verify_x509_type = 0
Sat Jul 11 23:43:35 2015 us=569623   verify_x509_name = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   crl_file = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   ns_cert_type = 1
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_ku[i] = 0
Sat Jul 11 23:43:35 2015 us=569623   remote_cert_eku = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=569623   ssl_flags = 0
Sat Jul 11 23:43:35 2015 us=569623   tls_timeout = 2
Sat Jul 11 23:43:35 2015 us=569623   renegotiate_bytes = 0
Sat Jul 11 23:43:35 2015 us=569623   renegotiate_packets = 0
Sat Jul 11 23:43:35 2015 us=569623   renegotiate_seconds = 3600
Sat Jul 11 23:43:35 2015 us=569623   handshake_window = 60
Sat Jul 11 23:43:35 2015 us=569623   transition_window = 3600
Sat Jul 11 23:43:35 2015 us=569623   single_session = DISABLED
Sat Jul 11 23:43:35 2015 us=569623   push_peer_info = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   tls_exit = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   tls_auth_file = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_protected_authentication = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_private_mode = 00000000
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_cert_private = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_pin_cache_period = -1
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_id = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=570623   pkcs11_id_management = DISABLED
Sat Jul 11 23:43:35 2015 us=570623   server_network = 0.0.0.0
Sat Jul 11 23:43:35 2015 us=570623   server_netmask = 0.0.0.0
Sat Jul 11 23:43:35 2015 us=571623   server_network_ipv6 = ::
Sat Jul 11 23:43:35 2015 us=571623   server_netbits_ipv6 = 0
Sat Jul 11 23:43:35 2015 us=571623   server_bridge_ip = 0.0.0.0
Sat Jul 11 23:43:35 2015 us=571623   server_bridge_netmask = 0.0.0.0
Sat Jul 11 23:43:35 2015 us=571623   server_bridge_pool_start = 0.0.0.0
Sat Jul 11 23:43:35 2015 us=571623   server_bridge_pool_end = 0.0.0.0
Sat Jul 11 23:43:35 2015 us=571623   ifconfig_pool_defined = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   ifconfig_pool_start = 0.0.0.0
Sat Jul 11 23:43:35 2015 us=571623   ifconfig_pool_end = 0.0.0.0
Sat Jul 11 23:43:35 2015 us=571623   ifconfig_pool_netmask = 0.0.0.0
Sat Jul 11 23:43:35 2015 us=571623   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=571623   ifconfig_pool_persist_refresh_freq = 600
Sat Jul 11 23:43:35 2015 us=571623   ifconfig_ipv6_pool_defined = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   ifconfig_ipv6_pool_base = ::
Sat Jul 11 23:43:35 2015 us=571623   ifconfig_ipv6_pool_netbits = 0
Sat Jul 11 23:43:35 2015 us=571623   n_bcast_buf = 256
Sat Jul 11 23:43:35 2015 us=571623   tcp_queue_limit = 64
Sat Jul 11 23:43:35 2015 us=571623   real_hash_size = 256
Sat Jul 11 23:43:35 2015 us=571623   virtual_hash_size = 256
Sat Jul 11 23:43:35 2015 us=571623   client_connect_script = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=571623   learn_address_script = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=571623   client_disconnect_script = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=571623   client_config_dir = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=571623   ccd_exclusive = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   tmp_dir = 'C:\Users\Henry\AppData\Local\Temp\'
Sat Jul 11 23:43:35 2015 us=571623   push_ifconfig_defined = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   push_ifconfig_local = 0.0.0.0
Sat Jul 11 23:43:35 2015 us=571623   push_ifconfig_remote_netmask = 0.0.0.0
Sat Jul 11 23:43:35 2015 us=571623   push_ifconfig_ipv6_defined = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   push_ifconfig_ipv6_local = ::/0
Sat Jul 11 23:43:35 2015 us=571623   push_ifconfig_ipv6_remote = ::
Sat Jul 11 23:43:35 2015 us=571623   enable_c2c = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   duplicate_cn = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   cf_max = 0
Sat Jul 11 23:43:35 2015 us=571623   cf_per = 0
Sat Jul 11 23:43:35 2015 us=571623   max_clients = 1024
Sat Jul 11 23:43:35 2015 us=571623   max_routes_per_client = 256
Sat Jul 11 23:43:35 2015 us=571623   auth_user_pass_verify_script = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=571623   auth_user_pass_verify_script_via_file = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   client = ENABLED
Sat Jul 11 23:43:35 2015 us=571623   pull = ENABLED
Sat Jul 11 23:43:35 2015 us=571623   auth_user_pass_file = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=571623   show_net_up = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   route_method = 0
Sat Jul 11 23:43:35 2015 us=571623   ip_win32_defined = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   ip_win32_type = 3
Sat Jul 11 23:43:35 2015 us=571623   dhcp_masq_offset = 0
Sat Jul 11 23:43:35 2015 us=571623   dhcp_lease_time = 31536000
Sat Jul 11 23:43:35 2015 us=571623   tap_sleep = 0
Sat Jul 11 23:43:35 2015 us=571623   dhcp_options = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   dhcp_renew = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   dhcp_pre_release = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   dhcp_release = DISABLED
Sat Jul 11 23:43:35 2015 us=571623   domain = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=571623   netbios_scope = '[UNDEF]'
Sat Jul 11 23:43:35 2015 us=571623   netbios_node_type = 0
Sat Jul 11 23:43:35 2015 us=571623   disable_nbt = DISABLED
Sat Jul 11 23:43:35 2015 us=571623 OpenVPN 2.3.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Apr 14 2014
Enter Management Password:
Sat Jul 11 23:43:35 2015 us=572623 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Jul 11 23:43:35 2015 us=572623 Need hold release from management interface, waiting...
Sat Jul 11 23:43:36 2015 us=44650 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Jul 11 23:43:36 2015 us=144656 MANAGEMENT: CMD 'state on'
Sat Jul 11 23:43:36 2015 us=144656 MANAGEMENT: CMD 'log all on'
Sat Jul 11 23:43:36 2015 us=201659 MANAGEMENT: CMD 'hold off'
Sat Jul 11 23:43:36 2015 us=202659 MANAGEMENT: CMD 'hold release'
Sat Jul 11 23:43:36 2015 us=335667 LZO compression initialized
Sat Jul 11 23:43:36 2015 us=335667 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Jul 11 23:43:36 2015 us=335667 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Jul 11 23:43:36 2015 us=335667 MANAGEMENT: >STATE:1436694216,RESOLVE,,,
Sat Jul 11 23:43:36 2015 us=340667 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jul 11 23:43:36 2015 us=341667 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Jul 11 23:43:36 2015 us=341667 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Jul 11 23:43:36 2015 us=341667 Local Options hash (VER=V4): 'bc07730e'
Sat Jul 11 23:43:36 2015 us=341667 Expected Remote Options hash (VER=V4): 'b695cb4a'
Sat Jul 11 23:43:36 2015 us=341667 Attempting to establish TCP connection with [AF_INET]192.168.1.1:1194
Sat Jul 11 23:43:36 2015 us=341667 MANAGEMENT: >STATE:1436694216,TCP_CONNECT,,,
Sat Jul 11 23:43:36 2015 us=342667 TCP connection established with [AF_INET]192.168.1.1:1194
Sat Jul 11 23:43:36 2015 us=342667 TCPv4_CLIENT link local: [undef]
Sat Jul 11 23:43:36 2015 us=342667 TCPv4_CLIENT link remote: [AF_INET]192.168.1.1:1194
Sat Jul 11 23:43:36 2015 us=342667 MANAGEMENT: >STATE:1436694216,WAIT,,,
Sat Jul 11 23:43:36 2015 us=351668 MANAGEMENT: >STATE:1436694216,AUTH,,,
Sat Jul 11 23:43:36 2015 us=351668 TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=14bd6226 2c2b1670
Sat Jul 11 23:43:36 2015 us=819694 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=HI, L=Wailuku, O=arroyo.house, OU=HOME, CN=gateway, name=arroyo.house, emailAddress=henryarroyo@gmail.com
Sat Jul 11 23:43:36 2015 us=819694 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Jul 11 23:43:36 2015 us=820694 TLS Error: TLS object -> incoming plaintext read error
Sat Jul 11 23:43:36 2015 us=820694 TLS Error: TLS handshake failed
Sat Jul 11 23:43:36 2015 us=820694 Fatal TLS error (check_tls_errors_co), restarting
Sat Jul 11 23:43:36 2015 us=820694 TCP/UDP: Closing socket
Sat Jul 11 23:43:36 2015 us=820694 SIGUSR1[soft,tls-error] received, process restarting
Sat Jul 11 23:43:36 2015 us=820694 MANAGEMENT: >STATE:1436694216,RECONNECTING,tls-error,,
Sat Jul 11 23:43:36 2015 us=820694 Restart pause, 5 second(s)
Sat Jul 11 23:43:41 2015 us=820980 Re-using SSL/TLS context
Sat Jul 11 23:43:41 2015 us=820980 LZO compression initialized
Sat Jul 11 23:43:41 2015 us=820980 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Jul 11 23:43:41 2015 us=820980 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Jul 11 23:43:41 2015 us=820980 MANAGEMENT: >STATE:1436694221,RESOLVE,,,
Sat Jul 11 23:43:41 2015 us=825981 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jul 11 23:43:41 2015 us=825981 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Jul 11 23:43:41 2015 us=825981 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Jul 11 23:43:41 2015 us=825981 Local Options hash (VER=V4): 'bc07730e'
Sat Jul 11 23:43:41 2015 us=825981 Expected Remote Options hash (VER=V4): 'b695cb4a'
Sat Jul 11 23:43:41 2015 us=825981 Attempting to establish TCP connection with [AF_INET]192.168.1.1:1194
Sat Jul 11 23:43:41 2015 us=825981 MANAGEMENT: >STATE:1436694221,TCP_CONNECT,,,
Sat Jul 11 23:43:41 2015 us=827981 TCP connection established with [AF_INET]192.168.1.1:1194
Sat Jul 11 23:43:41 2015 us=827981 TCPv4_CLIENT link local: [undef]
Sat Jul 11 23:43:41 2015 us=827981 TCPv4_CLIENT link remote: [AF_INET]192.168.1.1:1194
Sat Jul 11 23:43:41 2015 us=827981 MANAGEMENT: >STATE:1436694221,WAIT,,,
Sat Jul 11 23:43:41 2015 us=853982 MANAGEMENT: >STATE:1436694221,AUTH,,,
Sat Jul 11 23:43:41 2015 us=854982 TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=e2c6ac51 ac284575
Sat Jul 11 23:43:42 2015 us=352011 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=HI, L=Wailuku, O=arroyo.house, OU=HOME, CN=gateway, name=arroyo.house, emailAddress=henryarroyo@gmail.com
Sat Jul 11 23:43:42 2015 us=352011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Jul 11 23:43:42 2015 us=353011 TLS Error: TLS object -> incoming plaintext read error
Sat Jul 11 23:43:42 2015 us=353011 TLS Error: TLS handshake failed
Sat Jul 11 23:43:42 2015 us=353011 Fatal TLS error (check_tls_errors_co), restarting
Sat Jul 11 23:43:42 2015 us=353011 TCP/UDP: Closing socket
Sat Jul 11 23:43:42 2015 us=353011 SIGUSR1[soft,tls-error] received, process restarting
Sat Jul 11 23:43:42 2015 us=353011 MANAGEMENT: >STATE:1436694222,RECONNECTING,tls-error,,
Sat Jul 11 23:43:42 2015 us=353011 Restart pause, 5 second(s)
Sat Jul 11 23:43:47 2015 us=353297 Re-using SSL/TLS context
Sat Jul 11 23:43:47 2015 us=353297 LZO compression initialized
Sat Jul 11 23:43:47 2015 us=353297 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Jul 11 23:43:47 2015 us=353297 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Jul 11 23:43:47 2015 us=353297 MANAGEMENT: >STATE:1436694227,RESOLVE,,,
Sat Jul 11 23:43:47 2015 us=364297 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jul 11 23:43:47 2015 us=364297 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Jul 11 23:43:47 2015 us=364297 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Jul 11 23:43:47 2015 us=364297 Local Options hash (VER=V4): 'bc07730e'
Sat Jul 11 23:43:47 2015 us=364297 Expected Remote Options hash (VER=V4): 'b695cb4a'
Sat Jul 11 23:43:47 2015 us=364297 Attempting to establish TCP connection with [AF_INET]192.168.1.1:1194
Sat Jul 11 23:43:47 2015 us=364297 MANAGEMENT: >STATE:1436694227,TCP_CONNECT,,,
Sat Jul 11 23:43:47 2015 us=366298 TCP connection established with [AF_INET]192.168.1.1:1194
Sat Jul 11 23:43:47 2015 us=366298 TCPv4_CLIENT link local: [undef]
Sat Jul 11 23:43:47 2015 us=366298 TCPv4_CLIENT link remote: [AF_INET]192.168.1.1:1194
Sat Jul 11 23:43:47 2015 us=366298 MANAGEMENT: >STATE:1436694227,WAIT,,,
Sat Jul 11 23:43:47 2015 us=375298 MANAGEMENT: >STATE:1436694227,AUTH,,,
Sat Jul 11 23:43:47 2015 us=375298 TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=90e14f09 2fb4b315
Sat Jul 11 23:43:47 2015 us=721318 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=HI, L=Wailuku, O=arroyo.house, OU=HOME, CN=gateway, name=arroyo.house, emailAddress=henryarroyo@gmail.com
Sat Jul 11 23:43:47 2015 us=721318 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Jul 11 23:43:47 2015 us=721318 TLS Error: TLS object -> incoming plaintext read error
Sat Jul 11 23:43:47 2015 us=721318 TLS Error: TLS handshake failed
Sat Jul 11 23:43:47 2015 us=721318 Fatal TLS error (check_tls_errors_co), restarting
Sat Jul 11 23:43:47 2015 us=721318 TCP/UDP: Closing socket
Sat Jul 11 23:43:47 2015 us=722318 SIGUSR1[soft,tls-error] received, process restarting
Sat Jul 11 23:43:47 2015 us=722318 MANAGEMENT: >STATE:1436694227,RECONNECTING,tls-error,,
Sat Jul 11 23:43:47 2015 us=722318 Restart pause, 5 second(s)
Sat Jul 11 23:43:48 2015 us=722375 SIGTERM[hard,init_instance] received, process exiting
Sat Jul 11 23:43:48 2015 us=722375 MANAGEMENT: >STATE:1436694228,EXITING,init_instance,,

I'm stumped on this one. I have tried to wipe all of the previous certs, making sure to run init-config and clean-all before editing vars.bat, as well as removing the old cert files from the config directory and starting the process all over again.

Any ideas?

Post by **maikcat** » Sun Jul 12, 2015 3:36 pm

post configs and server side logs

Michael.

OpenVPN Support Forum

TLS handshake fails after setting up keys

TLS handshake fails after setting up keys

Re: TLS handshake fails after setting up keys