On 23-Apr-14 16:06, Steffan Karger wrote:
I generated a matching pair of traces of the failure (client and server) & posted a summary.Let me know if you would like the full traces.
Sent off-list.
I've been trying to reproduce the error. I grabbed my spare pi from the desk drawer and built 2.3.3 from sources like you describe in #385. I fired up a Windows 8.1 VM, and installed OpenVPN 2.3.3-I002 (x64). This setup however happily connects with TLSv1.2. It's hard to get a hold on this one...
My windows client is XP, 32-bit. It's a physical machine (old notebook).Although the problem first surfaced on 2.3.3, I'm now running off git-master (of a few days back). How I did that is in #385 too.
For those on the list: With a hint from Steffan,I have established that the client certificate is not being sent. I believe this is a client issue.
It appears that including the cert/key in the conf file, rather than from the crypto API makes 1.2 work.
We suspect there's some issue due to 1.2's larger hashes/message size. Not clear whether the cryptoapi interface is the cause or a victim.
As I can't build the windows client (it's really annoying that it requires commercial tools), further debug will need help from folks who can.
As always, let me know if I can do anything more to help.
smime.p7s
Description: S/MIME Cryptographic Signature