I've just updated to Cent OS 7. Unfortunately, this broke my VPN access. OpenVPN complains
Code: Select all
VERIFY ERROR: depth=0, error=certificate signature failure
SSL alert (write): fatal: decrypt error
Mon Jul 14 16:24:18 2014 us=54800 ciphername_defined = ENABLED
Mon Jul 14 16:24:18 2014 us=54805 ciphername = 'BF-CBC'
Mon Jul 14 16:24:18 2014 us=54810 authname_defined = ENABLED
Mon Jul 14 16:24:18 2014 us=54815 authname = 'SHA1'
Mon Jul 14 16:24:18 2014 us=54820 prng_hash = 'SHA1'
------- SNIP -------
Code: Select all
Mon Jul 14 16:24:18 2014 us=55541 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jul 14 2014
------- SNIP -------
Mon Jul 14 16:24:23 2014 us=212915 TLS: tls_multi_process: i=0 state=S_SENT_KEY, mysid=959d12ad 3fd6358b, stored-sid=21b1e50a 63e80c5c, stored-ip=193.175.73.100:1194
Mon Jul 14 16:24:23 2014 us=212920 TLS: tls_process: chg=0 ks=S_SENT_KEY lame=S_UNXXF to_link->len=0 wakeup=604800
Mon Jul 14 16:24:23 2014 us=212925 ACK reliable_can_send active=0 current=0 : [3]
Mon Jul 14 16:24:23 2014 us=212931 BIO write tls_write_ciphertext 100 bytes
Mon Jul 14 16:24:23 2014 us=212935 Incoming Ciphertext -> TLS
Mon Jul 14 16:24:23 2014 us=213196 VERIFY OK: depth=1, /C=XX/ST=MYTOWN/L=MYTOWN/O=OpenVPN-Myprovider/CN=OpenVPN-Myprovider-CA/emailAddress=admin@myprovider.xx
Mon Jul 14 16:24:23 2014 us=213223 VERIFY ERROR: depth=0, error=certificate signature failure: /C=XX/ST=MYTOWN/O=OpenVPN-Myprovider/CN=server/emailAddress=admin@myprovider.xx
Mon Jul 14 16:24:23 2014 us=213238 SSL alert (write): fatal: decrypt error
Mon Jul 14 16:24:23 2014 us=213271 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Jul 14 16:24:23 2014 us=213277 TLS Error: TLS object -> incoming plaintext read error
Mon Jul 14 16:24:23 2014 us=213282 TLS Error: TLS handshake failed
Code: Select all
client
dev tun
proto udp
remote xxx.myprovider.xx 1194
remote XXX.YYY.XX.YYY 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 client.p12
comp-lzo
verb 12
reneg-sec 0
auth-user-pass
script-security 2
explicit-exit-notify
mute-replay-warnings
ns-cert-type server
SElinux is disabled. The certificates are encrypted with MD5 and SHA1 (usercert: Signature Algorithm: sha1WithRSAEncryption; CA: Signature Algorithm: md5WithRSAEncryption).
Our server admin can see my connection attempts but also does not know the cause - apparently, all other users can connect without problems. So I suspect some change in Cent OS 7 to cause the problem. What else could I try?
Thanks in advance,
Dominik