Hi,
the log line
"VERIFY ERROR: depth=1, error=self signed certificate in certificate
chain:
/C=US/ST=NewYork/L=minerals/O=certify.com/OU=R_D/CN=certify/emailAddress=cert...@server1.com"
shows that the client does not trust the server certificate, or the CA
certificate that signed the server certificate; verify that you have
loaded the right 'ca.crt' file in the client. You can print information
about certificates using
openssl x509 -text -noout -in ca.crt
or
openssl x509 -subject -issuer -noout -in ca.crt
HTH,
JJK
Richard Francis wrote:
Hi, anyone can help? Greatly appreciative of your expertise.
Fri Oct 07 14:41:38 2011 us=958000 Current Parameter Settings:
Fri Oct 07 14:41:38 2011 us=958000 config = 'VPN.ovpn'
Fri Oct 07 14:41:38 2011 us=958000 mode = 0
Fri Oct 07 14:41:38 2011 us=958000 show_ciphers = DISABLED
Fri Oct 07 14:41:38 2011 us=958000 show_digests = DISABLED
Fri Oct 07 14:41:38 2011 us=958000 show_engines = DISABLED
Fri Oct 07 14:41:38 2011 us=958000 genkey = DISABLED
Fri Oct 07 14:41:38 2011 us=958000 key_pass_file = '[UNDEF]'
Fri Oct 07 14:41:38 2011 us=958000 show_tls_ciphers = DISABLED
Fri Oct 07 14:41:38 2011 us=958000 Connection profiles [default]:
Fri Oct 07 14:41:38 2011 us=958000 proto = tcp-client
Fri Oct 07 14:41:38 2011 us=958000 local = '[UNDEF]'
Fri Oct 07 14:41:38 2011 us=958000 local_port = 0
Fri Oct 07 14:41:38 2011 us=958000 remote = 'vpn.certify.com'
Fri Oct 07 14:41:38 2011 us=958000 remote_port = 443
Fri Oct 07 14:41:38 2011 us=958000 remote_float = DISABLED
Fri Oct 07 14:41:38 2011 us=958000 bind_defined = DISABLED
Fri Oct 07 14:41:38 2011 us=958000 bind_local = DISABLED
Fri Oct 07 14:41:38 2011 us=958000 connect_retry_seconds = 5
Fri Oct 07 14:41:38 2011 us=958000 connect_timeout = 10
Fri Oct 07 14:41:38 2011 us=958000 NOTE: --mute triggered...
Fri Oct 07 14:41:38 2011 us=958000 252 variation(s) on previous 20
message(s) suppressed by --mute
Fri Oct 07 14:41:38 2011 us=958000 OpenVPN 2.1.3 i686-pc-mingw32 [SSL]
[LZO2] [PKCS11] built on Aug 20 2010
Fri Oct 07 14:41:38 2011 us=978000 WARNING: No server certificate
verification method has been enabled. See
http://openvpn.net/howto.html#mitm for more info.
Fri Oct 07 14:41:38 2011 us=978000 NOTE: OpenVPN 2.1 requires
'--script-security 2' or higher to call user-defined scripts or
executables
Fri Oct 07 14:41:39 2011 us=508000 LZO compression initialized
Fri Oct 07 14:41:39 2011 us=528000 Control Channel MTU parms [ L:1576
D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Oct 07 14:41:39 2011 us=538000 Socket Buffers: R=[8192->8192]
S=[8192->8192]
Fri Oct 07 14:41:39 2011 us=819000 Data Channel MTU parms [ L:1576
D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Oct 07 14:41:39 2011 us=819000 Local Options String: 'V4,dev-type
tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Oct 07 14:41:39 2011 us=819000 Expected Remote Options String:
'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto
TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method
2,tls-server'
Fri Oct 07 14:41:39 2011 us=819000 Local Options hash (VER=V4): '31fdf004'
Fri Oct 07 14:41:39 2011 us=819000 Expected Remote Options hash
(VER=V4): '3e6d1056'
Fri Oct 07 14:41:39 2011 us=819000 Attempting to establish TCP
connection with 1.1.1.1:443
Fri Oct 07 14:41:39 2011 us=909000 TCP connection established with
1.1.1.1:443
Fri Oct 07 14:41:39 2011 us=909000 TCPv4_CLIENT link local: [undef]
Fri Oct 07 14:41:39 2011 us=909000 TCPv4_CLIENT link remote: 1.1.1.1:443
Fri Oct 07 14:41:39 2011 us=979000 TLS: Initial packet from
1.1.1.1:443, sid=48fe7a7z 189d19pc
Fri Oct 07 14:41:41 2011 us=401000 VERIFY ERROR: depth=1, error=self
signed certificate in certificate chain:
/C=US/ST=NewYork/L=minerals/O=certify.com/OU=R_D/CN=certify/emailAddress=cert...@server1.com
Fri Oct 07 14:41:41 2011 us=401000 TLS_ERROR: BIO read
tls_read_plaintext error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Oct 07 14:41:41 2011 us=401000 TLS Error: TLS object -> incoming
plaintext read error
Fri Oct 07 14:41:41 2011 us=401000 TLS Error: TLS handshake failed
Fri Oct 07 14:41:41 2011 us=401000 Fatal TLS error
(check_tls_errors_co), restarting
Fri Oct 07 14:41:41 2011 us=401000 TCP/UDP: Closing socket
Fri Oct 07 14:41:41 2011 us=411000 SIGUSR1[soft,tls-error] received,
process restarting
Fri Oct 07 14:41:41 2011 us=411000 Restart pause, 5 second(s)
Richard Francis
http://www.pelicancomputers.us
1.847.256.0639
------------------------------------------------------------------------
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel