Re: [Openvpn-users] FW: tls-verify script not working

Jan Just Keijser Mon, 05 Oct 2015 01:29:05 -0700

Hi,

Dreetjeh D wrote:
> Hello,
>  
> After adding:
> *****************
> /volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh           rix,
> /volume1/@appstore/VPNCenter/scripts/userlist.txt    r,
> *****************
> under:
> *****************
> /volume*/@appstore/VPNCenter/sbin/openvpn {
> #include <abstractions/base>
> #include <abstractions/base-cgi>
> ******************
> to the Apparmor profile off OpenVPN, the script now runs.
>  
>
> But now I get this in openvpn.log
> *****************
> Sat Oct 3 00:37:19 2015 us=616906 MULTI: multi_create_instance called
> Sat Oct 3 00:37:19 2015 us=617134 192.168.11.32:1194 Re-using SSL/TLS 
> context
> Sat Oct 3 00:37:19 2015 us=617214 192.168.11.32:1194 LZO compression 
> initialized
> Sat Oct 3 00:37:19 2015 us=617523 192.168.11.32:1194 Control Channel 
> MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:0 ]
> Sat Oct 3 00:37:19 2015 us=617604 192.168.11.32:1194 Data Channel MTU 
> parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
> Sat Oct 3 00:37:19 2015 us=617750 192.168.11.32:1194 Local Options 
> String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto 
> UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 
> 256,tls-auth,key-method 2,tls-server'
> Sat Oct 3 00:37:19 2015 us=617814 192.168.11.32:1194 Expected Remote 
> Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto 
> UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 
> 256,tls-auth,key-method 2,tls-client'
> Sat Oct 3 00:37:19 2015 us=617911 192.168.11.32:1194 Local Options 
> hash (VER=V4): 'xxxxxxxx'
> Sat Oct 3 00:37:19 2015 us=618004 192.168.11.32:1194 Expected Remote 
> Options hash (VER=V4): 'xxxxxxxx'
> RSat Oct 3 00:37:19 2015 us=618164 192.168.11.32:1194 TLS: Initial 
> packet from [AF_INET]192.168.11.32:1194, sid=xxxxxxxx xxxxxxxx
> WRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRSat
>  
> Oct 3 00:37:19 2015 us=832285 192.168.11.32:1194 VERIFY SCRIPT OK: 
> depth=1, C=NL, ST=GLD, O=MMD, OU=OVPN, CN=CA, 
> emailAddress=dreet...@hotmail.com 
> <mailto:emailAddress=dreet...@hotmail.com>
> Sat Oct 3 00:37:19 2015 us=832423 192.168.11.32:1194 VERIFY OK: 
> depth=1, C=NL, ST=GLD, O=MMD, OU=OVPN, CN=CA, 
> emailAddress=dreet...@hotmail.com 
> <mailto:emailAddress=dreet...@hotmail.com>
> Sat Oct 3 00:37:19 2015 us=834170 192.168.11.32:1194 Validating 
> certificate key usage
> Sat Oct 3 00:37:19 2015 us=834247 192.168.11.32:1194 ++ Certificate 
> has key usage 0088, expects 0080
> Sat Oct 3 00:37:19 2015 us=834309 192.168.11.32:1194 ++ Certificate 
> has key usage 0088, expects 0008
> Sat Oct 3 00:37:19 2015 us=834369 192.168.11.32:1194 ++ Certificate 
> has key usage 0088, expects 0088
> Sat Oct 3 00:37:19 2015 us=834429 192.168.11.32:1194 VERIFY KU OK
> Sat Oct 3 00:37:19 2015 us=834499 192.168.11.32:1194 Validating 
> certificate extended key usage
> Sat Oct 3 00:37:19 2015 us=834563 192.168.11.32:1194 ++ Certificate 
> has EKU (str) TLS Web Client Authentication, expects TLS Web Client 
> Authentication
> Sat Oct 3 00:37:19 2015 us=834625 192.168.11.32:1194 VERIFY EKU OK
>  
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This is standard from Synology
>  
> Sat Oct 3 00:37:19 2015 us=844018 192.168.11.32:1194 WARNING: Failed 
> running command (--tls-verify script): external program exited with 
> error status: 1
> Sat Oct 3 00:37:19 2015 us=844132 192.168.11.32:1194 VERIFY SCRIPT 
> ERROR: depth=0, C=NL, ST=GLD, O=MMD, OU=OVPN-NAS, CN=admin, 
> emailAddress=dreet...@hotmail.com 
> <mailto:emailAddress=dreet...@hotmail.com>
> Sat Oct 3 00:37:19 2015 us=844403 192.168.11.32:1194 TLS_ERROR: BIO 
> read tls_read_plaintext error: 
> error:140890B2:lib(20):func(137):reason(178)
> Sat Oct 3 00:37:19 2015 us=844474 192.168.11.32:1194 TLS Error: TLS 
> object -> incoming plaintext read error
> Sat Oct 3 00:37:19 2015 us=848980 192.168.11.32:1194 SYNO_ERR_CERT
> Sat Oct 3 00:37:19 2015 us=849060 192.168.11.32:1194 TLS Error: TLS 
> handshake failed
> Sat Oct 3 00:37:19 2015 us=849370 192.168.11.32:1194 
> SIGUSR1[soft,tls-error] received, client-instance restarting
> ************************
>
> From what i understand the script should return 0 but exits with error 
> status 1.
>  
> I double checked the script and userlist.txt have 0755
> Paths to the files are correct
> userlist.txt one line admin
> admin.crt has CN=admin
> ca.crt has CN=CA
>  
> Could it be that the script needs to be modified to be compatible with 
> NAS?
>


I'd  add some debug statements to the script, e.g. add
  echo "[$0] [$1] [$2] [$3] [$4]"
on the second line. Also, what happens if you run the script manually 
with the same parameters as specified via OpenVPN ?

JJK

------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] FW: tls-verify script not working

Reply via email to