Hi Chris, On 15/04/15 20:01, Chris Ross wrote: >> the cipher list looks OK; I've just tried in my setup and it's definitely >> the TLS cipher, not the "cipher" option - that would lead to a different >> error message. >> >> something just popped up in my mind: what kind of certificates are you >> using? if you're using ECDSA based certificates and use SHA256 signing then >> it would fail - the currently released version of OpenVPN does not support >> that. Try using "regular" RSA type certificates (there you can use SHA2 >> hashes). >> >> You can determine what's used in your certificate by posting/looking at >> openssl x509 -text -noout -in cert/distal-ca.crt >> openssl x509 -text -noout -in cert/distalvpn.crt > Pretty sure they’re just standard RSA. Generated with openssl req and > openssl ca, IIRC. Appended… > > Are these using SHA1, and I need SHA2? SHA1 is fine, though I would recommend switching to SHA2 if you can - from 2016 on, SHA1 is considered "not secure enough" anymore for secure websites.
The 'no shared cipher' problem is looking stranger and stranger, how ever. Have you tried connecting using another client (i.e. not a Mac) ? if you'd like I can try connecting from my Linux laptop. At my work we use an OpenVPN setup similar to yours (i.e. a quite basic server setup) to which all kinds of clients connect (Linux, Windows, Mac, Android). HTH, JJK > % openssl x509 -text -noout -in cert/distal-ca.crt > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > AA:BB:CC > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, ST=Maryland, O=Distal Thoughts, CN=Distal Thoughts > Certificate Authority/emailAddress=c...@distal.com > Validity > Not Before: Dec 8 22:59:21 2013 GMT > Not After : Dec 8 22:59:21 2033 GMT > Subject: C=US, ST=Maryland, O=Distal Thoughts, CN=Distal Thoughts > Certificate Authority/emailAddress=c...@distal.com > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > CC:DD:EE > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Subject Key Identifier: > AA:BB > X509v3 Authority Key Identifier: > keyid:AA:BB > DirName:/C=US/ST=Maryland/O=Distal Thoughts/CN=Distal > Thoughts Certificate Authority/emailAddress=c...@distal.com > serial:DD:EE > > X509v3 Basic Constraints: > CA:TRUE > X509v3 Key Usage: > Certificate Sign, CRL Sign > Netscape Cert Type: > SSL CA, S/MIME CA > Signature Algorithm: sha1WithRSAEncryption > DD:EE:FF > % openssl x509 -text -noout -in cert/distalvpn.crt > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > AA:BB:CC > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, ST=Maryland, O=Distal Thoughts, CN=Distal Thoughts > Certificate Authority/emailAddress=c...@distal.com > Validity > Not Before: Apr 8 21:38:36 2015 GMT > Not After : Apr 9 21:38:36 2025 GMT > Subject: C=US, ST=Maryland, O=Distal Thoughts, > CN=vpn.distal.com/emailAddress=cr...@distal.com > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > CC:DD:EE > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Cert Type: > SSL Server > Netscape Comment: > OpenSSL Generated Server Certificate > X509v3 Subject Key Identifier: > CC:DD:EE > X509v3 Extended Key Usage: > TLS Web Server Authentication > X509v3 Authority Key Identifier: > keyid: CC:DD:EE > > Signature Algorithm: sha1WithRSAEncryption > CC:DD:EE > % > > ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
