Hello,
I want a client ubuntu machine to connect to an ubuntu server using Jan Just's recipe. I have been following the instructions but keep getting TLS handshake failures.
Here are the configurations: links.disabled
Here are the debugs: links.disabled
I suspect there is a parameter missing regarding the nsCertType maybe?
Also I don't understand why the ta.key key is created but never mentioned again during that recipe.
Any insight will be appreciated.
Edit: My ultimate goal is to setup an OpenVPN server to connect multiple Grandstream GXV3140 Phone clients.
Client-Server recipe from JanJust book TLS Failure
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
jpms
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Dec 29, 2011 6:52 am
Client-Server recipe from JanJust book TLS Failure
Last edited by jpms on Thu Dec 29, 2011 4:04 pm, edited 1 time in total.
-
jpms
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Dec 29, 2011 6:52 am
Client-Server recipe from JanJust book TLS Failure[SOLVED]
The OpenVPN Cookbook 2011 Book comes with these 2 commands for a client/server recipe configuration stating the client certificates can be build with or without passphrase
./build-key-server --batch openvpnclient1
./build-key-pass openvpnclient2
When connecting the client vpn side, I was getting
VERIFY ERROR: unsupported certificate purpose
WARNING: No server certificate verification method has been enabled.
Researching around found a guy with same error that determined it was a client-server mismatch of the certificates:
http://gozer.ectoplasm.org/blog/archive ... erify.html
I found this to verify what type of certificate you have:
www.madboa.com/geek/openssl/#cert-exam
In summary, the commands in the recipe do not build client certificates, but server certs instead.
At the end, running ./build-key-server with no parameteres spit the entire list of options and usage, where I found this nice command
./pkitool
./pkitool --pass
Thats it! All I needed and wanted in order to build my client certificate, with no "server" reference at all when looked up with
openssl x509 -in cert.crt -text
Jan if you are around, could you please clarify if this is something to include in the Errata doc?
Thanks,
./build-key-server --batch openvpnclient1
./build-key-pass openvpnclient2
When connecting the client vpn side, I was getting
VERIFY ERROR: unsupported certificate purpose
WARNING: No server certificate verification method has been enabled.
Researching around found a guy with same error that determined it was a client-server mismatch of the certificates:
http://gozer.ectoplasm.org/blog/archive ... erify.html
I found this to verify what type of certificate you have:
www.madboa.com/geek/openssl/#cert-exam
In summary, the commands in the recipe do not build client certificates, but server certs instead.
At the end, running ./build-key-server with no parameteres spit the entire list of options and usage, where I found this nice command
./pkitool
./pkitool --pass
Thats it! All I needed and wanted in order to build my client certificate, with no "server" reference at all when looked up with
openssl x509 -in cert.crt -text
Jan if you are around, could you please clarify if this is something to include in the Errata doc?
Thanks,