[Openvpn-users] FW: tls-verify script not working

Fri, 02 Oct 2015 13:06:30 -0700 

 
From: dreet...@hotmail.com
To: debbie...@gmail.com
Subject: RE: [Openvpn-users] tls-verify script not working
Date: Fri, 2 Oct 2015 20:11:17 +0200




Hello,
 
Thank you for a quick reply.
 
The server config:
*******************
log-append /var/log/openvpn.log


verb 5



dev tun



proto udp



port 11194



management 127.0.0.1 1195



server 192.168.168.0 255.255.255.0



persist-tun



persist-key



topology subnet



push "route 192.168.11.0 255.255.255.0"



push "route 192.168.168.0 255.255.255.0"



push "dhcp-option DNS 192.168.11.10"



#push "dhcp-option WINS 192.168.11.12"



prng RSA-SHA256 32



cipher AES-256-CBC



auth SHA256



tls-version-min 1.2 or-highest



remote-cert-tls client



dh /volume1/@appstore/VPNCenter/etc/openvpn/keys/dh2048.pem



ca /volume1/@appstore/VPNCenter/etc/openvpn/keys/ca.crt



cert /volume1/@appstore/VPNCenter/etc/openvpn/keys/server.crt



key /volume1/@appstore/VPNCenter/etc/openvpn/keys/server.key



tls-auth /volume1/@appstore/VPNCenter/etc/openvpn/keys/ta.key 0



max-clients 5



comp-lzo



keepalive 20 60



reneg-sec 0



plugin /var/packages/VPNCenter/target/lib/radiusplugin.so 
/var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf



#tls-verify "/volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh 
/volume1/@appstore/VPNCenter/scripts/userlist.txt"



#script-security 2



status /tmp/ovpn_status_2_result 30



status-version 2
******************
 
This config is working without the tls-verify script.
 
One thing just cought my eye in the error message:
VERIFY SCRIPT ERROR: > depth=1, C=NL, ST=GLD, O=MMD, OU=OVPN, CN=CA, 
 
CN=CA
The user has the commonname admin
Shouldn`t the error show CN=admin?
A bit puzzled now... or maybe have to read some more :)
 
Thanks
André
 

 
> From: debbie...@gmail.com
> To: dreet...@hotmail.com; openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] tls-verify script not working
> Date: Fri, 2 Oct 2015 18:59:56 +0100
> 
> Can you post your complete server config please.
> 
> ----- Original Message ----- 
> From: "Dreetjeh D" <dreet...@hotmail.com>
> To: <openvpn-users@lists.sourceforge.net>
> Sent: Friday, October 02, 2015 5:22 PM
> Subject: [Openvpn-users] tls-verify script not working
> 
> 
> Hello all,
> 
> 
> I`m running the OVPN server on a NAS from Synology with self generated 
> certificates (XCA).
> 
> A few day`s i`m trying to get a tls-verify script running but somehow i 
> cannot find what is wrong.
> The following script, ovpnCNcheck.sh, i found on the net:
> (removed comments)
> ************************
> #!/bin/sh
> 
> 
> 
> [ $# -eq 3 ] || { echo usage: ovpnCNcheck.sh userfile certificate_depth 
> X509_NAME_oneline ; exit 255 ; }
> 
> 
> 
> # $2 -> certificate_depth
> 
> 
> if [ $2 -eq 0 ] ; then
> 
> 
> # $3 -> X509_NAME_oneline
> 
> 
> # $1 -> cn we are looking for
> 
> 
> grep -q "^`expr match "$3" ".*/CN=\([^/][^/]*\)"`$" "$1" && exit 0
> 
> 
> exit 1
> 
> 
> fi
> 
> 
> 
> exit 0
> 
> 
> *********************
> 
> I gave the file 0755 and placed a textfile also 0755, containing the 
> commonname of the client, in the same directory.
> In the config from server:
> tls-verify "/volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh 
> /volume1/@appstore/VPNCenter/scripts/userlist.txt"
> 
> When the client connects, username/password and then stalls, the server log 
> gives:
> *************************
> WARNING: Failed running command (--tls-verify script): could not execute 
> external program
> Fri Oct  2 18:18:39 2015 us=192309 192.168.11.32:1194 VERIFY SCRIPT ERROR: 
> depth=1, C=NL, ST=GLD, O=MMD, OU=OVPN, CN=CA, 
> emailAddress=dreet...@hotmail.com
> Fri Oct  2 18:18:39 2015 us=192614 192.168.11.32:1194 TLS_ERROR: BIO read 
> tls_read_plaintext error: error:140890B2:lib(20):func(137):reason(178)
> Fri Oct  2 18:18:39 2015 us=192686 192.168.11.32:1194 TLS Error: TLS 
> object -> incoming plaintext read error
> Fri Oct  2 18:18:39 2015 us=197583 192.168.11.32:1194 SYNO_ERR_CERT
> Fri Oct  2 18:18:39 2015 us=197673 192.168.11.32:1194 TLS Error: TLS 
> handshake failed
> Fri Oct  2 18:18:39 2015 us=198050 192.168.11.32:1194 
> SIGUSR1[soft,tls-error] received, client-instance restarting
> ***************************
> 
> As i have no understanding from the script, i still would appriciate if 
> someone can take a look at this.
> 
> Thanks in advance,
> André
> 
> 
> 
> 
> 
> 
> --------------------------------------------------------------------------------
> 
> 
> > ------------------------------------------------------------------------------
> >
> 
> 
> --------------------------------------------------------------------------------
> 
> 
> > _______________________________________________
> > Openvpn-users mailing list
> > Openvpn-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/openvpn-users
> > 
> 
                                                                                
  
------------------------------------------------------------------------------

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to