Re: [Openvpn-devel] Fatal Error on XP
Excellent idea. The CA cert issuer was incorrect to the client issuer. Thank you very much. Richard -Original Message- From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent: Monday, October 10, 2011 1:54 AM To: Richard Francis Cc: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] Fatal Error on XP Hi, the log line "VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=NewYork/L=minerals/O=certify.com/OU=R_D/CN=certify/emailAddress=cer t...@server1.com" shows that the client does not trust the server certificate, or the CA certificate that signed the server certificate; verify that you have loaded the right 'ca.crt' file in the client. You can print information about certificates using openssl x509 -text -noout -in ca.crt or openssl x509 -subject -issuer -noout -in ca.crt HTH, JJK Richard Francis wrote: > > Hi, anyone can help? Greatly appreciative of your expertise. > > > > Fri Oct 07 14:41:38 2011 us=958000 Current Parameter Settings: > > Fri Oct 07 14:41:38 2011 us=958000 config = 'VPN.ovpn' > > Fri Oct 07 14:41:38 2011 us=958000 mode = 0 > > Fri Oct 07 14:41:38 2011 us=958000 show_ciphers = DISABLED > > Fri Oct 07 14:41:38 2011 us=958000 show_digests = DISABLED > > Fri Oct 07 14:41:38 2011 us=958000 show_engines = DISABLED > > Fri Oct 07 14:41:38 2011 us=958000 genkey = DISABLED > > Fri Oct 07 14:41:38 2011 us=958000 key_pass_file = '[UNDEF]' > > Fri Oct 07 14:41:38 2011 us=958000 show_tls_ciphers = DISABLED > > Fri Oct 07 14:41:38 2011 us=958000 Connection profiles [default]: > > Fri Oct 07 14:41:38 2011 us=958000 proto = tcp-client > > Fri Oct 07 14:41:38 2011 us=958000 local = '[UNDEF]' > > Fri Oct 07 14:41:38 2011 us=958000 local_port = 0 > > Fri Oct 07 14:41:38 2011 us=958000 remote = 'vpn.certify.com' > > Fri Oct 07 14:41:38 2011 us=958000 remote_port = 443 > > Fri Oct 07 14:41:38 2011 us=958000 remote_float = DISABLED > > Fri Oct 07 14:41:38 2011 us=958000 bind_defined = DISABLED > > Fri Oct 07 14:41:38 2011 us=958000 bind_local = DISABLED > > Fri Oct 07 14:41:38 2011 us=958000 connect_retry_seconds = 5 > > Fri Oct 07 14:41:38 2011 us=958000 connect_timeout = 10 > > Fri Oct 07 14:41:38 2011 us=958000 NOTE: --mute triggered... > > Fri Oct 07 14:41:38 2011 us=958000 252 variation(s) on previous 20 > message(s) suppressed by --mute > > Fri Oct 07 14:41:38 2011 us=958000 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] > [LZO2] [PKCS11] built on Aug 20 2010 > > Fri Oct 07 14:41:38 2011 us=978000 WARNING: No server certificate > verification method has been enabled. See > http://openvpn.net/howto.html#mitm for more info. > > Fri Oct 07 14:41:38 2011 us=978000 NOTE: OpenVPN 2.1 requires > '--script-security 2' or higher to call user-defined scripts or > executables > > Fri Oct 07 14:41:39 2011 us=508000 LZO compression initialized > > Fri Oct 07 14:41:39 2011 us=528000 Control Channel MTU parms [ L:1576 > D:140 EF:40 EB:0 ET:0 EL:0 ] > > Fri Oct 07 14:41:39 2011 us=538000 Socket Buffers: R=[8192->8192] > S=[8192->8192] > > Fri Oct 07 14:41:39 2011 us=819000 Data Channel MTU parms [ L:1576 > D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ] > > Fri Oct 07 14:41:39 2011 us=819000 Local Options String: 'V4,dev-type > tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher > BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' > > Fri Oct 07 14:41:39 2011 us=819000 Expected Remote Options String: > 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto > TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method > 2,tls-server' > > Fri Oct 07 14:41:39 2011 us=819000 Local Options hash (VER=V4): '31fdf004' > > Fri Oct 07 14:41:39 2011 us=819000 Expected Remote Options hash > (VER=V4): '3e6d1056' > > Fri Oct 07 14:41:39 2011 us=819000 Attempting to establish TCP > connection with 1.1.1.1:443 > > Fri Oct 07 14:41:39 2011 us=909000 TCP connection established with > 1.1.1.1:443 > > Fri Oct 07 14:41:39 2011 us=909000 TCPv4_CLIENT link local: [undef] > > Fri Oct 07 14:41:39 2011 us=909000 TCPv4_CLIENT link remote: 1.1.1.1:443 > > Fri Oct 07 14:41:39 2011 us=979000 TLS: Initial packet from > 1.1.1.1:443, sid=48fe7a7z 189d19pc > > Fri Oct 07 14:41:41 2011 us=401000 VERIFY ERROR: depth=1, error=self > signed certificate in certificate chain: > /C=US/ST=NewYork/L=minerals/O=certify.com/OU=R_D/CN=certify/emailAddress=cer t...@server1.com > > Fri Oct 07 14:41:41 2011 us=401000 TLS_ERROR: BIO read > tls_read_plaintext error: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Fri Oct 07 14:41:41 2011 us=401000 TLS Error: TLS object -> incoming > plaintext read error > > Fri Oct 07 14:41:41 2011 us=401000 TLS Error: TLS handshake failed > > Fri Oct 07 14:41:41 2011 us=401000 Fatal TLS error > (check_tls_errors_co), restarting > > Fri Oct 07 14:41:41 2011 us=401000 TCP/UDP: Closing socket > > Fri Oct 07 14:41:41 2011 us=411000 SIGUSR1[soft,tls-error] received, > process restarting > > Fri Oct
Re: [Openvpn-devel] Fatal Error on XP
Hi, the log line "VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=NewYork/L=minerals/O=certify.com/OU=R_D/CN=certify/emailAddress=cert...@server1.com" shows that the client does not trust the server certificate, or the CA certificate that signed the server certificate; verify that you have loaded the right 'ca.crt' file in the client. You can print information about certificates using openssl x509 -text -noout -in ca.crt or openssl x509 -subject -issuer -noout -in ca.crt HTH, JJK Richard Francis wrote: Hi, anyone can help? Greatly appreciative of your expertise. Fri Oct 07 14:41:38 2011 us=958000 Current Parameter Settings: Fri Oct 07 14:41:38 2011 us=958000 config = 'VPN.ovpn' Fri Oct 07 14:41:38 2011 us=958000 mode = 0 Fri Oct 07 14:41:38 2011 us=958000 show_ciphers = DISABLED Fri Oct 07 14:41:38 2011 us=958000 show_digests = DISABLED Fri Oct 07 14:41:38 2011 us=958000 show_engines = DISABLED Fri Oct 07 14:41:38 2011 us=958000 genkey = DISABLED Fri Oct 07 14:41:38 2011 us=958000 key_pass_file = '[UNDEF]' Fri Oct 07 14:41:38 2011 us=958000 show_tls_ciphers = DISABLED Fri Oct 07 14:41:38 2011 us=958000 Connection profiles [default]: Fri Oct 07 14:41:38 2011 us=958000 proto = tcp-client Fri Oct 07 14:41:38 2011 us=958000 local = '[UNDEF]' Fri Oct 07 14:41:38 2011 us=958000 local_port = 0 Fri Oct 07 14:41:38 2011 us=958000 remote = 'vpn.certify.com' Fri Oct 07 14:41:38 2011 us=958000 remote_port = 443 Fri Oct 07 14:41:38 2011 us=958000 remote_float = DISABLED Fri Oct 07 14:41:38 2011 us=958000 bind_defined = DISABLED Fri Oct 07 14:41:38 2011 us=958000 bind_local = DISABLED Fri Oct 07 14:41:38 2011 us=958000 connect_retry_seconds = 5 Fri Oct 07 14:41:38 2011 us=958000 connect_timeout = 10 Fri Oct 07 14:41:38 2011 us=958000 NOTE: --mute triggered... Fri Oct 07 14:41:38 2011 us=958000 252 variation(s) on previous 20 message(s) suppressed by --mute Fri Oct 07 14:41:38 2011 us=958000 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010 Fri Oct 07 14:41:38 2011 us=978000 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Fri Oct 07 14:41:38 2011 us=978000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Fri Oct 07 14:41:39 2011 us=508000 LZO compression initialized Fri Oct 07 14:41:39 2011 us=528000 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ] Fri Oct 07 14:41:39 2011 us=538000 Socket Buffers: R=[8192->8192] S=[8192->8192] Fri Oct 07 14:41:39 2011 us=819000 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ] Fri Oct 07 14:41:39 2011 us=819000 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Fri Oct 07 14:41:39 2011 us=819000 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Fri Oct 07 14:41:39 2011 us=819000 Local Options hash (VER=V4): '31fdf004' Fri Oct 07 14:41:39 2011 us=819000 Expected Remote Options hash (VER=V4): '3e6d1056' Fri Oct 07 14:41:39 2011 us=819000 Attempting to establish TCP connection with 1.1.1.1:443 Fri Oct 07 14:41:39 2011 us=909000 TCP connection established with 1.1.1.1:443 Fri Oct 07 14:41:39 2011 us=909000 TCPv4_CLIENT link local: [undef] Fri Oct 07 14:41:39 2011 us=909000 TCPv4_CLIENT link remote: 1.1.1.1:443 Fri Oct 07 14:41:39 2011 us=979000 TLS: Initial packet from 1.1.1.1:443, sid=48fe7a7z 189d19pc Fri Oct 07 14:41:41 2011 us=401000 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=NewYork/L=minerals/O=certify.com/OU=R_D/CN=certify/emailAddress=cert...@server1.com Fri Oct 07 14:41:41 2011 us=401000 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Fri Oct 07 14:41:41 2011 us=401000 TLS Error: TLS object -> incoming plaintext read error Fri Oct 07 14:41:41 2011 us=401000 TLS Error: TLS handshake failed Fri Oct 07 14:41:41 2011 us=401000 Fatal TLS error (check_tls_errors_co), restarting Fri Oct 07 14:41:41 2011 us=401000 TCP/UDP: Closing socket Fri Oct 07 14:41:41 2011 us=411000 SIGUSR1[soft,tls-error] received, process restarting Fri Oct 07 14:41:41 2011 us=411000 Restart pause, 5 second(s) Richard Francis http://www.pelicancomputers.us 1.847.256.0639 -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and
