Tunnelblick 3.5.0 is statically linked with OpenSSL 1.0.1m and LZO 2.08, as
can be seen in the OpenVPN log message:
OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH]
[IPv6] built on Apr 15 2015
library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
On Fri, Apr 17, 2015 at 11:22 AM, Chris Ross <cross+open...@distal.com>
wrote:
>
> > On Apr 17, 2015, at 07:49, Jan Just Keijser <janj...@nikhef.nl> wrote:
> > I don't know - it's not really a TLS cipher that you want, but a TLSv1
> connection - the nomenclature is overloaded, however.
> > It does look like a bug in your local openssl lib, as openvpn 2.3.6
> works fine with TLSv1 on CentOS 5, which still uses openssl 0.9.8 . You can
> also build and link openvpn statically against an OpenSSL (or even
> PolarSSL) library so that you would not have a second openssl.so file lying
> around.
>
> (*le sigh*) Okay. So, I’m sorry to say, that I think I’ve been
> misstating things this whole time. The openssl on my system is in fact
> 0.9.9. But, I failed to notice that the pkgsrc version of openvpn that I
> was using had a prerequisite for OpenSSL 1.0.1c or later, and I apparently
> already had such a beast on my system. I dislike having two versions of
> OpenSSL installed sop much that I failed to notice I already did.
>
> Okay. So, back to reality. I took a more full assessment of things,
> uninstalled the older OpenSSL 1.0.1-whatever, the things that had required
> it, and started building the most recent versions of openvpn (2.3.6) and
> OpenSSL (1.0.2a) that pkgsrc has available.
>
> At this point, I now at least know what OpenSSL and crypto libraries my
> openvpn binary is linked against and can speak more correctly about them.
>
> So to earlier email about using the openssl s_server and s_client, this
> time with the relevant server-side binary. It looks just fine. I can
> establish the connection without error. I can’t be sure what openssl
> Tunnelblick is compiled with, as it appears to be statically linked against
> it. The openssl s_client that worked for me just now is 0.9.8zc, but
> Tunnelblick could be using anything.
>
> But, the openvpn failure has now changed! I consider this a success!
>
> Apr 17 11:17:43 bifr?st openvpn[17201]: TCP connection established with
> [AF_INET]A.B.C.D:52232
> Apr 17 11:17:44 bifr?st openvpn[17201]: A.B.C.D:52232 TLS: Initial packet
> from [AF_INET]A.B.C.D:52232, sid=34eff6fb 9e28a600
> Apr 17 11:17:45 bifr?st openvpn[17201]: A.B.C.D:52232 VERIFY ERROR:
> depth=0, error=unsupported certificate purpose: C=US, ST=Maryland, O=Distal
> Thoughts, CN=client.outside.net
> Apr 17 11:17:45 bifr?st openvpn[17201]: A.B.C.D:52232 TLS_ERROR: BIO read
> tls_read_plaintext error: error:14089086:SSL
> routines:ssl3_get_client_certificate:certificate verify failed
>
> So, my client certificate must be wrong somehow. I generated it by
> following the commands within the easy-rss scripts, basically. The
> following commands were used, with an openssl.cnf I’ve had around for a
> long time and been using for other things. My CA cert pre-existed as well.
>
> % openssl req -days 730 -nodes -new -newkey rsa:2048 -keyout client.key
> -out client.csr -config $PWD/openssl.cnf
> % openssl ca -days 731 -out client.crt -in client.csr -md sha1 -config
> openssl.cnf
>
> Given the error, however, I’m guessing there must be something I’m
> missing to define the “certificate purpose” of my certificate?
>
> - Chris
>
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
