-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 It is also possible that this is due to certificates not actually being self signed, they are signed by a CA but the CA is not in place..
curious though. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, 19 May 2021 21:20, tincantech <tincant...@protonmail.com> wrote: > Hi, > > turns out that this happens when combining --tls-crypt-v2 keys with > peer-fingerprint mode. > Maybe it has nothing to do with with peer-fingerprint mode or --reneg-sec > either. > > Client logs: > > Without --tls-crypt-v2 key (No --tls-* key at all) > > 2021-05-19 20:35:45 us=25803 TLS: Initial packet from > [AF_INET]10.10.101.101:17332, sid=c49ce550 80599fa6 > 2021-05-19 20:35:45 us=32200 VERIFY OK: depth=0, CN=s1 > 2021-05-19 20:35:45 us=32810 VERIFY OK: depth=0, CN=s1 > 2021-05-19 20:35:45 us=42552 WARNING: 'link-mtu' is used inconsistently, > local='link-mtu 1557', remote='link-mtu 1558' > > With --tls-crypt-v2 key > > 2021-05-19 20:59:43 us=349608 TLS: Initial packet from > [AF_INET]10.10.101.101:17332, sid=9166d66f fac63d82 > 2021-05-19 20:59:43 us=362301 VERIFY OK: depth=0, CN=wiscii > 2021-05-19 20:59:43 us=363091 VERIFY OK: depth=0, CN=wiscii > 2021-05-19 20:59:43 us=364036 VERIFY OK: depth=0, CN=wiscii > 2021-05-19 20:59:43 us=422371 WARNING: 'link-mtu' is used inconsistently, > local='link-mtu 1557', remote='link-mtu 1558' > > Verified both setups are using peer-fingerprint mode, No CA. > > if there is interest I'll trac it .. maybe add it to > https://community.openvpn.net/openvpn/ticket/1310 > > Thanks > R > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Sunday, 16 May 2021 10:35, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > Hi, > > in peer-fingerprint mode during --reneg-sec cycle, there appears to be > > an uneven round of TLS-Verify taking place. > > On the server I see two rounds of verify, on the client I see three rounds. > > The configs are more or less generic, the only exception being that the > > server > > has a script configured for --tls-verify > > I am only curious, if this is meant to be the case ? > > Logs at verb 4: > > > > - Server > > 2021-05-16 10:05:52 us=351436 arch/10.10.201.226:36798 TLS: soft reset > > sec=3517/3517 bytes=4666/-1 pkts=118/0 > > Ignoring unknown option: CN > > <EXOK> * EasyTLS-verify ==> Recognised Client cert serial > > > > > > 2021-05-16 10:05:52 us=381536 arch/10.10.201.226:36798 VERIFY SCRIPT OK: > > depth=0, CN=arch > > 2021-05-16 10:05:52 us=381629 arch/10.10.201.226:36798 VERIFY OK: depth=0, > > CN=arch > > Ignoring unknown option: CN > > <EXOK> * EasyTLS-verify ==> Recognised Client cert serial > > 2021-05-16 10:05:52 us=388179 arch/10.10.201.226:36798 VERIFY SCRIPT OK: > > depth=0, CN=arch > > 2021-05-16 10:05:52 us=388260 arch/10.10.201.226:36798 VERIFY OK: depth=0, > > CN=arch > > 2021-05-16 10:05:52 us=388972 arch/10.10.201.226:36798 peer info: > > IV_VER=2.6_git > > > > - Client > > 2021-05-16 10:05:52 us=286687 VERIFY OK: depth=0, CN=wiscii > > 2021-05-16 10:05:52 us=290195 VERIFY OK: depth=0, CN=wiscii > > 2021-05-16 10:05:52 us=291238 VERIFY OK: depth=0, CN=wiscii > > 2021-05-16 10:05:52 us=312385 WARNING: 'link-mtu' is used > > inconsistently, local='link-mtu 1557', remote='link-mtu 1558' > > Thanks > > R > > -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJgpXVsACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3knwgAytTpL90MHAMrGDM6Re0AkEHbycXhv62LjgoL1Vyc35zlkvyW v7fX9Uo/IIGBB+qq27hEdCgkFXqApkI+mlrD7cfTxuvTJVEf/qqBIc+182Xs o8HOUB6RHb9JYk9WwN9CNEL4f1ZFO6TweCvMkTsVf11mJQVsbhS+BSQo5eiA dgONFQuQvZk4v3QsL9Y1kOsvgjAq+NwccTk/ABiVtVGoDUR3b42AYfcz8pUj Qk7xJ0zpmFD4evvymvOg3J1XLdtEi7czbpT1xcMUcTMV9RgKN0c7BFlI/3NB 2JzJwPUZ9jO5ZIr3C9GG3XYZrSg5R60mOTq/YSJaVn2euMs40Kli2Q== =hykm -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
