Connect error: VERIFY EKU ERROR
Posted: Tue Aug 23, 2022 12:41 pm
Hi, please help. When I try connect to OpenVPN Server, I get error. All sertificate is valid.
Server log:
Client log:
port 1194
proto udp
local XX.XXX.XXX.X
dev tun
cd /etc/openvpn
persist-key
persist-tun
tls-server
tls-timeout 120
dh /etc/openvpn/dh.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/vpn-server.crt
key /etc/openvpn/server.key
crl-verify /etc/openvpn/crl.pem
tls-auth /etc/openvpn/ta.key 0
server 10.15.0.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
client-to-client
topology subnet
max-clients 5
push "dhcp-option DNS 10.15.0.1"
route 10.15.0.0 255.255.255.0
comp-lzo
keepalive 10 120
status /var/log/openvpn/openvpn-status.log 1
status-version 3
log-append /var/log/openvpn/openvpn-server.log
verb 4
mute 20
cipher AES-256-CBC
remote-cert-tls server
auth SHA256
client
dev tun
proto udp4
remote example.com
tls-client
ca ca.crt
cert dev1.crt
key client.key
tls-auth ta.key 1
comp-lzo
data-ciphers-fallback 'AES-256-CBC'
resolv-retry infinite
nobind
float
keepalive 10 120
persist-key
persist-tun
verb 0
remote-cert-tls server
auth SHA256
Server log:
Code: Select all
Tue Aug 23 15:35:23 2022 us=164818 MULTI: multi_create_instance called
Tue Aug 23 15:35:23 2022 us=164896 217.79.14.90:58332 Re-using SSL/TLS context
Tue Aug 23 15:35:23 2022 us=164926 217.79.14.90:58332 LZO compression initializing
Tue Aug 23 15:35:23 2022 us=172875 217.79.14.90:58332 Control Channel MTU parms [ L:1622 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Tue Aug 23 15:35:23 2022 us=172900 217.79.14.90:58332 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Aug 23 15:35:23 2022 us=172966 217.79.14.90:58332 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Tue Aug 23 15:35:23 2022 us=173001 217.79.14.90:58332 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Tue Aug 23 15:35:23 2022 us=173051 217.79.14.90:58332 TLS: Initial packet from [AF_INET]217.79.14.90:58332, sid=1306e70b a8ad933d
Tue Aug 23 15:35:23 2022 us=187192 217.79.14.90:58332 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Aug 23 15:35:23 2022 us=187375 217.79.14.90:58332 VERIFY KU OK
Tue Aug 23 15:35:23 2022 us=187398 217.79.14.90:58332 Validating certificate extended key usage
Tue Aug 23 15:35:23 2022 us=187418 217.79.14.90:58332 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
Tue Aug 23 15:35:23 2022 us=187438 217.79.14.90:58332 ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
Tue Aug 23 15:35:23 2022 us=187455 217.79.14.90:58332 VERIFY EKU ERROR
Tue Aug 23 15:35:23 2022 us=187519 217.79.14.90:58332 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Tue Aug 23 15:35:23 2022 us=187540 217.79.14.90:58332 TLS_ERROR: BIO read tls_read_plaintext error
Tue Aug 23 15:35:23 2022 us=187562 217.79.14.90:58332 TLS Error: TLS object -> incoming plaintext read error
Tue Aug 23 15:35:23 2022 us=187580 217.79.14.90:58332 TLS Error: TLS handshake failed
Tue Aug 23 15:35:23 2022 us=187655 217.79.14.90:58332 SIGUSR1[soft,tls-error] received, client-instance restarting
Code: Select all
...................................
2022-08-23 15:38:36 us=968000 MANAGEMENT: >STATE:1661258316,WAIT,,,,,,
2022-08-23 15:38:37 MANAGEMENT: >STATE:1661258317,AUTH,,,,,,
2022-08-23 15:38:37 TLS: Initial packet from [AF_INET]XX.XXX.XXX.X:1194, sid=2e23a989 eb707609
2022-08-23 15:38:37 us=15000 VERIFY OK: depth=1, CN=Easy-RSA CA
2022-08-23 15:38:37 us=31000 VERIFY KU OK
2022-08-23 15:38:37 us=31000 Validating certificate extended key usage
2022-08-23 15:38:37 us=31000 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-08-23 15:38:37 us=31000 VERIFY EKU OK
2022-08-23 15:38:37 us=31000 VERIFY OK: depth=0, CN=server
2022-08-23 15:38:37 us=562000 TCP/UDP: Closing socket
2022-08-23 15:38:37 us=562000 SIGTERM[hard,] received, process exiting
2022-08-23 15:38:37 us=578000 MANAGEMENT: >STATE:1661258317,EXITING,SIGTERM,,,,,
Server config
port 1194
proto udp
local XX.XXX.XXX.X
dev tun
cd /etc/openvpn
persist-key
persist-tun
tls-server
tls-timeout 120
dh /etc/openvpn/dh.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/vpn-server.crt
key /etc/openvpn/server.key
crl-verify /etc/openvpn/crl.pem
tls-auth /etc/openvpn/ta.key 0
server 10.15.0.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
client-to-client
topology subnet
max-clients 5
push "dhcp-option DNS 10.15.0.1"
route 10.15.0.0 255.255.255.0
comp-lzo
keepalive 10 120
status /var/log/openvpn/openvpn-status.log 1
status-version 3
log-append /var/log/openvpn/openvpn-server.log
verb 4
mute 20
cipher AES-256-CBC
remote-cert-tls server
auth SHA256
Client config
client
dev tun
proto udp4
remote example.com
tls-client
ca ca.crt
cert dev1.crt
key client.key
tls-auth ta.key 1
comp-lzo
data-ciphers-fallback 'AES-256-CBC'
resolv-retry infinite
nobind
float
keepalive 10 120
persist-key
persist-tun
verb 0
remote-cert-tls server
auth SHA256