Regression client connect poblem error:0A000086:SSL

thhart · Post by **thhart** » Mon Feb 28, 2022 9:28 am

Out of sudden the Android App refuses to connect with a self signed certificate validation problem. All other Linux/Windows clients can connect.
I have a Samsung mobile with a recent 12 Android update. Unfortunately I do not use the Connect App quite regular but noticed now that the client can not connect any more, this worked without problems over the years but the last time was some months ago. SHA is used for signing for all certs. I also can not say if it is related to a special App version. I also created a new ca.crt without change. Also special options in the client config for compatibility I tried without success.
The server only sees a short connect and disconnect then.

I can see this in the client log, no other hint anywhere found:

Code: Select all

2022-02-28 10:10:26 VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: *******
2022-02-28 10:10:26 OpenSSL: error:0A000086:SSL routines::certificate verify failed

I will attach all the other files now.

client

1

client

2

proto tcp

3

connect-timeout 30

4

fast-io

5

tls-timeout 10

6

dev tun

7

remote vpn.itth.com

8

socket-flags TCP_NODELAY

9

port 1194

10

comp-lzo

11

ping 5

12

ping-restart 5

13

verb 9

14

<key>

15

--STRIPPED INLINE KEY--

16

</key>

17

<cert>

18

--STRIPPED INLINE CERT--

19

</cert>

20

<ca>

21

--STRIPPED INLINE CA CERT--

22

</ca>

Code: Select all

2022-02-28 10:10:25 official build 0.7.33 running on samsung SM-N970F (exynos9825), Android 12 (SP1A.210812.016) API 31, ABI arm64-v8a, (samsung/d1eea/d1:12/SP1A.210812.016/N970FXXU7GVA5:user/release-keys)
2022-02-28 10:10:25 Building configuration…
2022-02-28 10:10:25 started Socket Thread
2022-02-28 10:10:25 Network Status: CONNECTED  to WIFI
2022-02-28 10:10:25 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2022-02-28 10:10:25 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2022-02-28 10:10:25 P:WARNING: linker: Warning: "/data/app/~~CMMIqFNdaMxbhRHzfLL5ug==/de.blinkt.openvpn-lQpGXBTN2hSXEoOP9gpb2w==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2022-02-28 10:10:25 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-02-28 10:10:25 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback 'BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-02-28 10:10:25 Current Parameter Settings:
2022-02-28 10:10:25   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2022-02-28 10:10:25   mode = 0
2022-02-28 10:10:25   show_ciphers = DISABLED
2022-02-28 10:10:25   show_digests = DISABLED
2022-02-28 10:10:25   show_engines = DISABLED
2022-02-28 10:10:25   genkey = DISABLED
2022-02-28 10:10:25   genkey_filename = '[UNDEF]'
2022-02-28 10:10:25   key_pass_file = '[UNDEF]'
2022-02-28 10:10:25   show_tls_ciphers = DISABLED
2022-02-28 10:10:25   connect_retry_max = 1
2022-02-28 10:10:25 Connection profiles [0]:
2022-02-28 10:10:25   proto = tcp-client
2022-02-28 10:10:25   local = '[UNDEF]'
2022-02-28 10:10:25   local_port = '[UNDEF]'
2022-02-28 10:10:25   remote = 'vpn.itth.com'
2022-02-28 10:10:25   remote_port = '1194'
2022-02-28 10:10:25   remote_float = DISABLED
2022-02-28 10:10:25   bind_defined = DISABLED
2022-02-28 10:10:25   bind_local = DISABLED
2022-02-28 10:10:25   bind_ipv6_only = DISABLED
2022-02-28 10:10:25   connect_retry_seconds = 2
2022-02-28 10:10:25   connect_timeout = 30
2022-02-28 10:10:25   socks_proxy_server = '[UNDEF]'
2022-02-28 10:10:25   socks_proxy_port = '[UNDEF]'
2022-02-28 10:10:25   tun_mtu = 1500
2022-02-28 10:10:25   tun_mtu_defined = ENABLED
2022-02-28 10:10:25   link_mtu = 1500
2022-02-28 10:10:25   link_mtu_defined = DISABLED
2022-02-28 10:10:25   tun_mtu_extra = 0
2022-02-28 10:10:25   tun_mtu_extra_defined = DISABLED
2022-02-28 10:10:25   mtu_discover_type = -1
2022-02-28 10:10:25   fragment = 0
2022-02-28 10:10:25   mssfix = 1492
2022-02-28 10:10:25   mssfix_encap = ENABLED
2022-02-28 10:10:25   explicit_exit_notification = 0
2022-02-28 10:10:25   tls_auth_file = '[UNDEF]'
2022-02-28 10:10:25   key_direction = not set
2022-02-28 10:10:25   tls_crypt_file = '[UNDEF]'
2022-02-28 10:10:25   tls_crypt_v2_file = '[UNDEF]'
2022-02-28 10:10:25 Connection profiles END
2022-02-28 10:10:25   remote_random = DISABLED
2022-02-28 10:10:25   ipchange = '[UNDEF]'
2022-02-28 10:10:25 Waiting 0s seconds between connection attempt
2022-02-28 10:10:25   dev = 'tun'
2022-02-28 10:10:25   dev_type = '[UNDEF]'
2022-02-28 10:10:25   dev_node = '[UNDEF]'
2022-02-28 10:10:25   lladdr = '[UNDEF]'
2022-02-28 10:10:25   topology = 1
2022-02-28 10:10:25   ifconfig_local = '[UNDEF]'
2022-02-28 10:10:25   ifconfig_remote_netmask = '[UNDEF]'
2022-02-28 10:10:25   ifconfig_noexec = DISABLED
2022-02-28 10:10:25   ifconfig_nowarn = ENABLED
2022-02-28 10:10:25   ifconfig_ipv6_local = '[UNDEF]'
2022-02-28 10:10:25   ifconfig_ipv6_netbits = 0
2022-02-28 10:10:25   ifconfig_ipv6_remote = '[UNDEF]'
2022-02-28 10:10:25   shaper = 0
2022-02-28 10:10:25   mtu_test = 0
2022-02-28 10:10:25   mlock = DISABLED
2022-02-28 10:10:25   keepalive_ping = 0
2022-02-28 10:10:25   keepalive_timeout = 0
2022-02-28 10:10:25   inactivity_timeout = 0
2022-02-28 10:10:25   ping_send_timeout = 5
2022-02-28 10:10:25   ping_rec_timeout = 5
2022-02-28 10:10:25   ping_rec_timeout_action = 2
2022-02-28 10:10:25   ping_timer_remote = DISABLED
2022-02-28 10:10:25   remap_sigusr1 = 0
2022-02-28 10:10:25   persist_tun = DISABLED
2022-02-28 10:10:25   persist_local_ip = DISABLED
2022-02-28 10:10:25   persist_remote_ip = DISABLED
2022-02-28 10:10:25   persist_key = DISABLED
2022-02-28 10:10:25   passtos = DISABLED
2022-02-28 10:10:25   resolve_retry_seconds = 60
2022-02-28 10:10:25   resolve_in_advance = DISABLED
2022-02-28 10:10:25   username = '[UNDEF]'
2022-02-28 10:10:25   groupname = '[UNDEF]'
2022-02-28 10:10:25   chroot_dir = '[UNDEF]'
2022-02-28 10:10:25   cd_dir = '[UNDEF]'
2022-02-28 10:10:25   writepid = '[UNDEF]'
2022-02-28 10:10:25   up_script = '[UNDEF]'
2022-02-28 10:10:25   down_script = '[UNDEF]'
2022-02-28 10:10:25   down_pre = DISABLED
2022-02-28 10:10:25   up_restart = DISABLED
2022-02-28 10:10:25   up_delay = DISABLED
2022-02-28 10:10:25   daemon = DISABLED
2022-02-28 10:10:25   log = DISABLED
2022-02-28 10:10:25   suppress_timestamps = DISABLED
2022-02-28 10:10:25   machine_readable_output = ENABLED
2022-02-28 10:10:25   nice = 0
2022-02-28 10:10:25   verbosity = 4
2022-02-28 10:10:25   mute = 0
2022-02-28 10:10:25   gremlin = 0
2022-02-28 10:10:25   status_file = '[UNDEF]'
2022-02-28 10:10:25   status_file_version = 1
2022-02-28 10:10:25   status_file_update_freq = 60
2022-02-28 10:10:25   occ = ENABLED
2022-02-28 10:10:25   rcvbuf = 0
2022-02-28 10:10:25   sndbuf = 0
2022-02-28 10:10:25   sockflags = 2
2022-02-28 10:10:25   fast_io = ENABLED
2022-02-28 10:10:25   comp.alg = 2
2022-02-28 10:10:25   comp.flags = 1
2022-02-28 10:10:25   route_script = '[UNDEF]'
2022-02-28 10:10:25   route_default_gateway = '[UNDEF]'
2022-02-28 10:10:25   route_default_metric = 0
2022-02-28 10:10:25   route_noexec = DISABLED
2022-02-28 10:10:25   route_delay = 0
2022-02-28 10:10:25   route_delay_window = 30
2022-02-28 10:10:25   route_delay_defined = DISABLED
2022-02-28 10:10:25   route_nopull = DISABLED
2022-02-28 10:10:25   route_gateway_via_dhcp = DISABLED
2022-02-28 10:10:25   allow_pull_fqdn = DISABLED
2022-02-28 10:10:25   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2022-02-28 10:10:25   management_port = 'unix'
2022-02-28 10:10:25   management_user_pass = '[UNDEF]'
2022-02-28 10:10:25   management_log_history_cache = 250
2022-02-28 10:10:25   management_echo_buffer_size = 100
2022-02-28 10:10:25   management_write_peer_info_file = '[UNDEF]'
2022-02-28 10:10:25   management_client_user = '[UNDEF]'
2022-02-28 10:10:25   management_client_group = '[UNDEF]'
2022-02-28 10:10:25   management_flags = 16678
2022-02-28 10:10:25   shared_secret_file = '[UNDEF]'
2022-02-28 10:10:25   key_direction = not set
2022-02-28 10:10:25   ciphername = 'BF-CBC'
2022-02-28 10:10:25   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305'
2022-02-28 10:10:25   authname = 'SHA1'
2022-02-28 10:10:25   engine = DISABLED
2022-02-28 10:10:25   replay = ENABLED
2022-02-28 10:10:25   mute_replay_warnings = DISABLED
2022-02-28 10:10:25   replay_window = 64
2022-02-28 10:10:25   replay_time = 15
2022-02-28 10:10:25   packet_id_file = '[UNDEF]'
2022-02-28 10:10:25   test_crypto = DISABLED
2022-02-28 10:10:25   tls_server = DISABLED
2022-02-28 10:10:25   tls_client = ENABLED
2022-02-28 10:10:25   ca_file = '[INLINE]'
2022-02-28 10:10:25   ca_path = '[UNDEF]'
2022-02-28 10:10:25   dh_file = '[UNDEF]'
2022-02-28 10:10:25   cert_file = '[INLINE]'
2022-02-28 10:10:25   extra_certs_file = '[UNDEF]'
2022-02-28 10:10:25   priv_key_file = '[INLINE]'
2022-02-28 10:10:25   pkcs12_file = '[UNDEF]'
2022-02-28 10:10:25   cipher_list = '[UNDEF]'
2022-02-28 10:10:25   cipher_list_tls13 = '[UNDEF]'
2022-02-28 10:10:25   tls_cert_profile = 'legacy'
2022-02-28 10:10:25   tls_verify = '[UNDEF]'
2022-02-28 10:10:25   tls_export_cert = '[UNDEF]'
2022-02-28 10:10:25   verify_x509_type = 0
2022-02-28 10:10:25   verify_x509_name = '[UNDEF]'
2022-02-28 10:10:25   crl_file = '[UNDEF]'
2022-02-28 10:10:25   ns_cert_type = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_ku[i] = 0
2022-02-28 10:10:25   remote_cert_eku = '[UNDEF]'
2022-02-28 10:10:25   ssl_flags = 192
2022-02-28 10:10:25   tls_timeout = 10
2022-02-28 10:10:25   renegotiate_bytes = -1
2022-02-28 10:10:25   renegotiate_packets = 0
2022-02-28 10:10:25   renegotiate_seconds = 3600
2022-02-28 10:10:25   handshake_window = 60
2022-02-28 10:10:25   transition_window = 3600
2022-02-28 10:10:25   single_session = DISABLED
2022-02-28 10:10:25   push_peer_info = DISABLED
2022-02-28 10:10:25   tls_exit = DISABLED
2022-02-28 10:10:25   tls_crypt_v2_metadata = '[UNDEF]'
2022-02-28 10:10:25   server_network = 0.0.0.0
2022-02-28 10:10:25   server_netmask = 0.0.0.0
2022-02-28 10:10:25   server_network_ipv6 = ::
2022-02-28 10:10:25   server_netbits_ipv6 = 0
2022-02-28 10:10:25   server_bridge_ip = 0.0.0.0
2022-02-28 10:10:25   server_bridge_netmask = 0.0.0.0
2022-02-28 10:10:25   server_bridge_pool_start = 0.0.0.0
2022-02-28 10:10:25   server_bridge_pool_end = 0.0.0.0
2022-02-28 10:10:25   ifconfig_pool_defined = DISABLED
2022-02-28 10:10:25   ifconfig_pool_start = 0.0.0.0
2022-02-28 10:10:25   ifconfig_pool_end = 0.0.0.0
2022-02-28 10:10:25   ifconfig_pool_netmask = 0.0.0.0
2022-02-28 10:10:25   ifconfig_pool_persist_filename = '[UNDEF]'
2022-02-28 10:10:25   ifconfig_pool_persist_refresh_freq = 600
2022-02-28 10:10:25   ifconfig_ipv6_pool_defined = DISABLED
2022-02-28 10:10:25   ifconfig_ipv6_pool_base = ::
2022-02-28 10:10:25   ifconfig_ipv6_pool_netbits = 0
2022-02-28 10:10:25   n_bcast_buf = 256
2022-02-28 10:10:25   tcp_queue_limit = 64
2022-02-28 10:10:25   real_hash_size = 256
2022-02-28 10:10:25   virtual_hash_size = 256
2022-02-28 10:10:25   client_connect_script = '[UNDEF]'
2022-02-28 10:10:25   learn_address_script = '[UNDEF]'
2022-02-28 10:10:25   client_disconnect_script = '[UNDEF]'
2022-02-28 10:10:25   client_config_dir = '[UNDEF]'
2022-02-28 10:10:25   ccd_exclusive = DISABLED
2022-02-28 10:10:25   tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2022-02-28 10:10:25   push_ifconfig_defined = DISABLED
2022-02-28 10:10:25   push_ifconfig_local = 0.0.0.0
2022-02-28 10:10:25   push_ifconfig_remote_netmask = 0.0.0.0
2022-02-28 10:10:25   push_ifconfig_ipv6_defined = DISABLED
2022-02-28 10:10:25   push_ifconfig_ipv6_local = ::/0
2022-02-28 10:10:25   push_ifconfig_ipv6_remote = ::
2022-02-28 10:10:25   enable_c2c = DISABLED
2022-02-28 10:10:25   duplicate_cn = DISABLED
2022-02-28 10:10:25   cf_max = 0
2022-02-28 10:10:25   cf_per = 0
2022-02-28 10:10:25   max_clients = 1024
2022-02-28 10:10:25   max_routes_per_client = 256
2022-02-28 10:10:25   auth_user_pass_verify_script = '[UNDEF]'
2022-02-28 10:10:25   auth_user_pass_verify_script_via_file = DISABLED
2022-02-28 10:10:25   auth_token_generate = DISABLED
2022-02-28 10:10:25   auth_token_lifetime = 0
2022-02-28 10:10:25   auth_token_secret_file = '[UNDEF]'
2022-02-28 10:10:25   port_share_host = '[UNDEF]'
2022-02-28 10:10:25   port_share_port = '[UNDEF]'
2022-02-28 10:10:25   vlan_tagging = DISABLED
2022-02-28 10:10:25   vlan_accept = all
2022-02-28 10:10:25   vlan_pvid = 1
2022-02-28 10:10:25   client = ENABLED
2022-02-28 10:10:25   pull = ENABLED
2022-02-28 10:10:25   auth_user_pass_file = '[UNDEF]'
2022-02-28 10:10:25 OpenVPN 2.6-icsopenvpn [git:icsopenvpn/v0.7.33-0-g8bc2287a] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 13 2022
2022-02-28 10:10:25 library versions: OpenSSL 3.0.1 14 Dec 2021, LZO 2.10
2022-02-28 10:10:25 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2022-02-28 10:10:25 MANAGEMENT: CMD 'version 3'
2022-02-28 10:10:25 MANAGEMENT: CMD 'hold release'
2022-02-28 10:10:25 MANAGEMENT: CMD 'bytecount 2'
2022-02-28 10:10:25 MANAGEMENT: CMD 'state on'
2022-02-28 10:10:25 MANAGEMENT: CMD 'proxy NONE'
2022-02-28 10:10:26 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-02-28 10:10:26 NOTE: --fast-io is disabled since we are not using UDP
2022-02-28 10:10:26 LZO compression initializing
2022-02-28 10:10:26 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 headroom:126 payload:1376 tailroom:126 ET:0 ]
2022-02-28 10:10:26 MANAGEMENT: >STATE:1646039426,RESOLVE,,,,,,
2022-02-28 10:10:26 Data Channel MTU parms [ mss_fix:1364 max_frag:0 tun_mtu:1500 headroom:136 payload:1736 tailroom:268 ET:0 ]
2022-02-28 10:10:26 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,auth SHA1,keysize 128,key-method 2,tls-client'
2022-02-28 10:10:26 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,auth SHA1,keysize 128,key-method 2,tls-server'
2022-02-28 10:10:26 TCP/UDP: Preserving recently used remote address: [AF_INET]********:1194
2022-02-28 10:10:26 Socket Buffers: R=[1048576->1048576] S=[1048576->1048576]
2022-02-28 10:10:26 Attempting to establish TCP connection with [AF_INET]********:1194
2022-02-28 10:10:26 MANAGEMENT: >STATE:1646039426,TCP_CONNECT,,,,,,
2022-02-28 10:10:26 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2022-02-28 10:10:26 TCP connection established with [AF_INET]********:1194
2022-02-28 10:10:26 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2022-02-28 10:10:26 Socket flags: TCP_NODELAY=1 succeeded
2022-02-28 10:10:26 TCP_CLIENT link local: (not bound)
2022-02-28 10:10:26 TCP_CLIENT link remote: [AF_INET]********:1194
2022-02-28 10:10:26 MANAGEMENT: >STATE:1646039426,WAIT,,,,,,
2022-02-28 10:10:26 MANAGEMENT: >STATE:1646039426,AUTH,,,,,,
2022-02-28 10:10:26 TLS: Initial packet from [AF_INET]********, sid=73b31f27 cad21429
2022-02-28 10:10:26 VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: *******
2022-02-28 10:10:26 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2022-02-28 10:10:26 TLS_ERROR: BIO read tls_read_plaintext error
2022-02-28 10:10:26 TLS Error: TLS object -> incoming plaintext read error
2022-02-28 10:10:26 TLS Error: TLS handshake failed
2022-02-28 10:10:26 Fatal TLS error (check_tls_errors_co), restarting
2022-02-28 10:10:26 TCP/UDP: Closing socket
2022-02-28 10:10:26 SIGUSR1[soft,tls-error] received, process restarting
2022-02-28 10:10:26 MANAGEMENT: >STATE:1646039426,RECONNECTING,tls-error,,,,,
2022-02-28 10:10:26 Waiting 2s seconds between connection attempt
2022-02-28 10:10:31 MANAGEMENT: CMD 'hold release'
2022-02-28 10:10:31 MANAGEMENT: CMD 'bytecount 2'
2022-02-28 10:10:31 MANAGEMENT: CMD 'state on'
2022-02-28 10:10:31 MANAGEMENT: CMD 'proxy NONE'
2022-02-28 10:10:32 MANAGEMENT: Client disconnected
2022-02-28 10:10:32 MGMT: Got unrecognized command>FATAL:All connections have been connect-retry-max (1) times unsuccessful, exiting
2022-02-28 10:10:32 All connections have been connect-retry-max (1) times unsuccessful, exiting
2022-02-28 10:10:32 Exiting due to fatal error
2022-02-28 10:10:32 Process exited with exit value 1

server

1

Linux ******** 4.19.0-18-amd64

server

1

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

2

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

3

inet 127.0.0.1/8 scope host lo

4

valid_lft forever preferred_lft forever

5

inet6 ::1/128 scope host

6

valid_lft forever preferred_lft forever

7

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

8

link/ether ********

9

inet ******** brd ******** scope global eth0

10

valid_lft forever preferred_lft forever

11

inet ******** brd ******** scope global eth0:34

12

valid_lft forever preferred_lft forever

13

inet6 ******** scope link

14

valid_lft forever preferred_lft forever

15

5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100

16

link/none

17

inet 10.1.0.1 peer 10.1.0.2/32 scope global tun0

18

valid_lft forever preferred_lft forever

19

inet6 ******** scope link stable-privacy

20

valid_lft forever preferred_lft forever

server

1

port 1194

2

proto tcp

3

dev tun

4

tls-version-min 1.0

5

<ca>

6

--STRIPPED INLINE CA CERT--

7

</ca>

8

cert server.crt

9

key server.key

10

dh dh4096.pem

11

server 10.1.0.0 255.255.255.0

12

ifconfig-pool-persist /etc/openvpn/ipp.txt 3600

13

ifconfig 10.1.0.1 255.255.255.0

14

route 10.1.0.0 255.255.255.0

15

route 10.1.1.0 255.255.255.0

16

route 10.1.2.0 255.255.255.0

17

route 10.1.4.0 255.255.255.0

18

route 10.1.6.0 255.255.255.0

19

route 10.1.8.0 255.255.255.0

20

route 10.1.10.0 255.255.255.0

21

route 10.1.16.0 255.255.255.0

22

route 10.1.26.0 255.255.255.0

23

route 10.1.24.0 255.255.255.0

24

route 10.1.42.0 255.255.255.0

25

push "route 10.1.0.0 255.255.255.0"

26

push "route 10.1.1.0 255.255.255.0"

27

push "route 10.1.2.0 255.255.255.0"

28

push "route 10.1.4.0 255.255.255.0"

29

push "route 10.1.6.0 255.255.255.0"

30

push "route 10.1.8.0 255.255.255.0"

31

push "route 10.1.10.0 255.255.255.0"

32

push "route 10.1.16.0 255.255.255.0"

33

push "route 10.1.26.0 255.255.255.0"

34

push "route 10.1.24.0 255.255.255.0"

35

push "route 10.1.42.0 255.255.255.0"

36

client-config-dir ccd

37

client-connect /etc/openvpn/connect-tweak.sh

38

client-disconnect /etc/openvpn/disconnect.sh

39

learn-address ./dyndns.sh

40

duplicate-cn

41

keepalive 10 120

42

comp-lzo

43

persist-key

44

persist-tun

45

status openvpn-status.log

46

log-append /var/log/openvpn.log

47

verb 4

48

management tunnel 42000 /etc/openvpn/password

49

tun-mtu 1500

50

--script-security 2

51

tls-timeout 120

Code: Select all

Mon Feb 28 10:10:27 2022 us=486683 MULTI: multi_create_instance called
Mon Feb 28 10:10:27 2022 us=486830 Re-using SSL/TLS context
Mon Feb 28 10:10:27 2022 us=486859 LZO compression initializing
Mon Feb 28 10:10:27 2022 us=486971 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Mon Feb 28 10:10:27 2022 us=487023 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Mon Feb 28 10:10:27 2022 us=487095 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mon Feb 28 10:10:27 2022 us=487115 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mon Feb 28 10:10:27 2022 us=487167 TCP connection established with [AF_INET]********:50810
Mon Feb 28 10:10:27 2022 us=487208 TCPv4_SERVER link local: (not bound)
Mon Feb 28 10:10:27 2022 us=487238 TCPv4_SERVER link remote: [AF_INET]********:50810
Mon Feb 28 10:10:27 2022 us=493693 ********:50810 TLS: Initial packet from [AF_INET]********:50810, sid=86bc1798 faebd185
Mon Feb 28 10:10:27 2022 us=578435 ********:50810 Connection reset, restarting [0]
Mon Feb 28 10:10:27 2022 us=578481 ********:50810 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mon Feb 28 10:10:27 2022 us=578554 TCP/UDP: Closing socket

thhart · Post by **thhart** » Fri Mar 04, 2022 9:29 am

It turned out the server is using SHA1 for its key, with a SHA256 signed key it is working, unfortunately this would break all other clients. I am wondering if and how it would be possible to support both maybe by signing the servers cert with both ca, but this looks like not supported.

Additional note, in OpenVpn for Android it is possible to configure the minimum TLS version to disabled to get it working also with older or weaker certs.

TinCanTech · Post by **TinCanTech** » Fri Mar 04, 2022 2:23 pm

Openvpn can only do what X509 can do. You cannot arbitrarily make up new X509 rules.

OpenVPN Support Forum

Regression client connect poblem error:0A000086:SSL

Regression client connect poblem error:0A000086:SSL

Re: Regression client connect poblem error:0A000086:SSL

Re: Regression client connect poblem error:0A000086:SSL