openvpn failing after recent update

[addw]

I have some machines connected with openvpn, it has been happily working for several years. With the update to centos 6.9 it broke.

It did not like the cipher that I was using, not enough bits, so I replaced:

Code: Select all

cipher BF-CBC

with:

Code: Select all

cipher AES-128-CBC

Now: every 2 seconds the server is telling me (date, pid, etc removed):

Code: Select all

 
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

And a client says:

Code: Select all

UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]213.138.xxx.xxx:1194
VERIFY ERROR: depth=0, error=certificate signature failure: C=GB, ST=Greater London, O=XXX Ltd, OU=XXX, CN=bytemark.phcomp.co.uk, emailAddress=addw@phcomp.co.uk
OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting

Can anyone help - please.

[aks]

Off the bat, verify the certificate:
openssl verify -CAfile <your_ca_repository> <your_certificate>

[addw]

Thanks ... part of the problem with openvpn (indeed SSL in general) is that there are many files, sometimes with the same suffixes, and hard to work out which is what. Different bits of documentation seem to give them slightly different names/descriptions.

I doubt that there is anything wrong with it since it worked before the centos upgrade.

So: my_ca_repository ... I assume that this is the file references in the openvpn.conf as 'ca', same as option --ca.
my_certifcate the file given to openvpn with option --cert

Try that and get:

Code: Select all

# openssl verify -CAfile bytemark.phcomp.co.uk-ca.crt mint-test.phcomp.co.uk.crt
mint-test.phcomp.co.uk.crt: C = GB, ST = Greater London, O = Parliament Hill Computers Ltd, OU = Phcomp Bytemark, CN = mint-test.phcomp.co.uk, emailAddress = addw@phcomp.co.uk
error 7 at 0 depth lookup:certificate signature failure
140271588030280:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:217:

[GeorgiSlavov]

I have same problem.
OpenVPN work perfect many years and after update to Centos 6.9 stop to connect clients
I not make any other modifications. Only update server and restart.

now see this:

Code: Select all

Wed Apr 12 20:49:05 2017 77.71.21.197:53004 TLS: Initial packet from [AF_INET]77.71.21.197:53004, sid=2bf866c3 364014da
Wed Apr 12 20:49:05 2017 77.71.21.197:53004 CRL CHECK OK: C=BG, ST=SZ, L=Stara Zagora, O=ges-2000, emailAddress=ges-2000@ges-2000.net
Wed Apr 12 20:49:05 2017 77.71.21.197:53004 VERIFY OK: depth=1, C=BG, ST=SZ, L=Stara Zagora, O=ges-2000, emailAddress=ges-2000@ges-2000.net
Wed Apr 12 20:49:05 2017 77.71.21.197:53004 VERIFY ERROR: depth=0, error=certificate signature failure: C=BG, ST=SZ, L=Stara Zagora, O=ges-2000, OU=Office, CN=denislav, emailAddress=ges-2000@ges-2000.net
Wed Apr 12 20:49:05 2017 77.71.21.197:53004 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Wed Apr 12 20:49:05 2017 77.71.21.197:53004 TLS_ERROR: BIO read tls_read_plaintext error
Wed Apr 12 20:49:05 2017 77.71.21.197:53004 TLS Error: TLS object -> incoming plaintext read error
Wed Apr 12 20:49:05 2017 77.71.21.197:53004 TLS Error: TLS handshake failed
Wed Apr 12 20:49:05 2017 77.71.21.197:53004 SIGUSR1[soft,tls-error] received, client-instance restarting

[avij]

CentOS 6.9 release notes state that "Support for insecure cryptographic protocols and algorithms has been dropped. This affects usage of MD5, SHA0, RC4 and DH parameters shorter than 1024 bits."

Further down the page you will see a link to upstream documentation about the changes.

I'd place my bets on MD5. Perhaps your certificate uses that as a digest algorithm. I'd recommend moving on to more secure digest algorithms such as SHA256.

[aks]

Yup, what he (avij) said.

[ebusic]

I have some machines connected with openvpn, it has been happily working for several years. With the update to centos 6.9 it broke.

It did not like the cipher that I was using, not enough bits, so I replaced:

Code: Select all

cipher BF-CBC

with:

Code: Select all

cipher AES-128-CBC

Now: every 2 seconds the server is telling me (date, pid, etc removed):

Code: Select all

 
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

And a client says:

Code: Select all

UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]213.138.xxx.xxx:1194
VERIFY ERROR: depth=0, error=certificate signature failure: C=GB, ST=Greater London, O=XXX Ltd, OU=XXX, CN=bytemark.phcomp.co.uk, emailAddress=addw@phcomp.co.uk
OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting

Can anyone help - please.

Solution:

echo -e "LegacySigningMDs md2 md5\nMinimumDHBits 512\n" >> /etc/pki/tls/legacy-settings
service openvpn restart

Bye!

[TrevorH]

Well, solution, sort of. That just turns off the disabling of the broken algorithms so you can connect but are not as secure as you could be or perhaps want to be. The real solution would be to use a non-broken algorithm for generating your certs and then your traffic would be more secure too.