Date: Tue, 15 Sep 2015 00:21:31 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 203111] OpenVPN TLS handshake fails on any freebsd box, even new Message-ID: <bug-203111-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203111 Bug ID: 203111 Summary: OpenVPN TLS handshake fails on any freebsd box, even new Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: brads@nyctelecomm.com I am trying to configure a new VPN server but the TLS handshake fails. I worked with #openvpn for some time and we narrowed it down to a failure at the server but what exactly, no one has a clue. All firewalls are completely down for both server and client and the testing client 'can' connect to OpenBook free Openvpn servers just fine. Just not my own that are hosted on FreeBSD. I jumped on a second brand new freebsd server and applied the config, same error. someone sent me a working config from one of their non freebsd servers and, same error. What ever it is, it appears to be very FreeBSD specific. server config: [\u@vader:/usr/local/etc] # cat openvpn/openvpn.conf local 108.61.175.20 mode server port 1194 ;proto tcp proto udp ;dev tap dev tun ;dev-node MyTap ca /usr/local/etc/easy-rsa/keys/ca.crt cert /usr/local/etc/easy-rsa/keys/serverP.crt key /usr/local/etc/easy-rsa/keys/serverP.key dh /usr/local/etc/easy-rsa/keys/dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 ;server-bridge ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" ;client-config-dir /usr/local/etc/ccd ;route 192.168.40.128 255.255.255.248 ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 ;learn-address ./script push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 4.2.2.2" ;client-to-client ;duplicate-cn keepalive 10 120 tls-server tls-timeout 120 tls-auth /usr/local/etc/openvpn/ta.key 0 # This file is secret tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA auth SHA256 ;remote-cert-tls server ;cipher BF-CBC # Blowfish (default) cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES comp-lzo max-clients 100 user nobody group nobody persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log log-append /var/log/openvpn.log verb 9 ;mute 20 client config: client dev tun0 dev-type tun proto udp remote 108.61.175.20 1194 resolv-retry infinite remote-cert-tls server tls-auth C:\\Program\ Files\\OpenVPN\\config\\ta.key 1 tls-client auth SHA256 dev-node {D1F4080E-CD73-4F64-9213-CBF0FB3C3D71} resolv-retry infinite nobind persist-key persist-tun verb 3 ;cipher AES-128-CBC ;route-delay 2 ;redirect-gateway inactive 3600 comp-lzo ca [inline] cert [inline] key [inline] <ca> -----BEGIN CERTIFICATE----- MIIE7jCCA9agAwIBAgIJAMDi1PIJghxnMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD VQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCEJyb29rbHluMRQwEgYDVQQK EwtOWUNUZWxlY29tbTEUMBIGA1UECxMLTllDVGVsZWNvbW0xFzAVBgNVBAMTDk5Z Q1RlbGVjb21tIENBMRAwDgYDVQQpEwdFYXN5UlNBMSQwIgYJKoZIhvcNAQkBFhVh ZG1pbkBueWN0ZWxlY29tbS5jb20wHhcNMTUwOTE0MTEyNDU0WhcNMjUwOTExMTEy NDU0WjCBqjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhCcm9v a2x5bjEUMBIGA1UEChMLTllDVGVsZWNvbW0xFDASBgNVBAsTC05ZQ1RlbGVjb21t MRcwFQYDVQQDEw5OWUNUZWxlY29tbSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEkMCIG CSqGSIb3DQEJARYVYWRtaW5AbnljdGVsZWNvbW0uY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA4UdREqvqO4SShs54q/m6hHxcm2Bc5jONAtk2I64p vbDbFmkpyLpibPI+rENgi4o1jfvQJJECpsU8ycvVJ2dPb2k0OmWldmxjHO2GuIc2 LzhqbnycPH2zW1NOO1XmwxIi4USJBvUewHkxclefVh9VFzFxel37RV7rdeeizaeR 3T7udjCP2887RSh5ZQ/TG7P1GbEEeiD56kwM/NVOoUZonxGTaK8JulYZAEAAjmYk 7kzl98GL/RgqE3SKqyXtHSl5GWcSnGHIBoypRt0CALS4t/qQ2Dyr1SW2PJeFkOaP ddEwjK/We8NiyDamLpahAq9Cj6ZRN+D2rr89z9MQXOH5DQIDAQABo4IBEzCCAQ8w HQYDVR0OBBYEFCdr+IAjZA59H9EegFpZa5wwniR9MIHfBgNVHSMEgdcwgdSAFCdr +IAjZA59H9EegFpZa5wwniR9oYGwpIGtMIGqMQswCQYDVQQGEwJVUzELMAkGA1UE CBMCTlkxETAPBgNVBAcTCEJyb29rbHluMRQwEgYDVQQKEwtOWUNUZWxlY29tbTEU MBIGA1UECxMLTllDVGVsZWNvbW0xFzAVBgNVBAMTDk5ZQ1RlbGVjb21tIENBMRAw DgYDVQQpEwdFYXN5UlNBMSQwIgYJKoZIhvcNAQkBFhVhZG1pbkBueWN0ZWxlY29t bS5jb22CCQDA4tTyCYIcZzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB AQBMtUC9Q5u6o9IyOayC3v+pIhmZncYGrxk03G6Odf3mU2ZeyCYja2qTlQOPB22V XQEJ856KiOqOj0yyTyBJSG6UvpjD5iixf85WE/vBENOSDfzjhydmy8BgLWcRe0Dx cFbEYv+qZr456s2W8Dt7+AI8VJauEQ5SPhf2WUK4XSH+7lLq2CDLN1qAHblyNks0 dxGaStTe38Pxb6FD0UpjFhSgoJqNZKuGjp5eeWdo0pAWu6T7QQ/9c/RYuTaz5/Kt RSFUrJ/t0cYVz5sxUVR4KNR26QbVAI5J42n/BL00K5+xB5bP9yGUb5MzwRgFX2nI J94Euf1q8OXN+kYa53Ca3W/J -----END CERTIFICATE----- </ca> <cert> Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=NY, L=Brooklyn, O=NYCTelecomm, OU=NYCTelecomm, CN=NYCTelecomm CA/name=EasyRSA/emailAddress=admin@nyctelecomm.com Validity Not Before: Sep 14 11:26:00 2015 GMT Not After : Sep 11 11:26:00 2025 GMT Subject: C=US, ST=NY, L=Brooklyn, O=NYCTelecomm, OU=NYCTelecomm, CN=client1P/name=EasyRSA/emailAddress=admin@nyctelecomm.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b2:6f:5d:dc:14:b6:72:d1:80:42:34:4d:14:7d: 14:b0:c6:da:50:e0:e8:7f:bd:b4:28:b2:98:33:9f: cd:d0:c1:a9:7c:6f:31:d5:17:cd:18:cf:50:d1:eb: ef:ea:9b:c9:54:0d:03:c2:78:3f:2d:66:8b:a5:1b: ba:39:28:f1:a8:9e:e6:0a:de:56:bc:c0:1a:ab:71: 92:ed:77:2d:6f:5d:1e:13:13:60:2a:08:94:76:49: d0:b0:f7:a8:3c:6e:f0:a3:4a:95:25:0a:15:f4:63: 87:64:5d:70:0d:a3:89:08:f8:e1:88:72:d4:7c:6b: b7:cb:68:55:ed:bb:23:73:f2:54:9c:7c:03:7f:c5: 24:20:ba:d2:de:eb:9f:e7:2c:6c:45:e6:09:f9:af: 6d:b5:e3:9d:6f:a5:37:7e:f7:f6:c3:d8:fc:91:dd: 7e:0c:c1:10:23:44:23:1c:6a:ee:05:cd:bd:6a:d4: 14:3e:71:f4:40:12:85:0d:6f:33:09:21:35:ba:26: 42:c1:f0:89:dd:1e:83:4e:e4:31:73:e3:1b:7b:68: af:6d:5f:fd:a0:5f:64:24:6b:51:19:bd:ca:60:47: f2:0f:a6:f5:3e:9d:94:90:f1:83:5a:21:02:8e:eb: ee:45:8e:93:f0:cc:c2:da:6c:32:51:30:98:b3:0c: 5d:d9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: Easy-RSA Generated Certificate X509v3 Subject Key Identifier: 3D:94:5E:09:B3:6F:E0:EF:B0:3D:3E:40:4D:AD:2F:DC:3C:52:86:90 X509v3 Authority Key Identifier: keyid:27:6B:F8:80:23:64:0E:7D:1F:D1:1E:80:5A:59:6B:9C:30:9E:24:7D DirName:/C=US/ST=NY/L=Brooklyn/O=NYCTelecomm/OU=NYCTelecomm/CN=NYCTelecomm CA/name=EasyRSA/emailAddress=admin@nyctelecomm.com serial:C0:E2:D4:F2:09:82:1C:67 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Signature Algorithm: sha256WithRSAEncryption dd:15:70:12:67:c6:88:fa:c6:f6:01:16:54:df:c7:e1:ee:74: ee:00:75:11:fc:70:76:16:90:54:5a:1b:4f:8e:69:c5:c3:44: 7f:79:9b:9f:98:01:71:2a:ec:59:15:3f:3d:27:b9:9d:0f:ce: cc:d1:05:1b:a1:f7:30:f3:e9:cc:37:bb:93:48:e7:14:ce:37: 03:ee:c5:d8:cd:bb:ef:b2:b9:f3:94:a6:7b:23:49:16:c7:8f: 73:ef:85:f9:8a:d5:98:24:bf:af:33:f0:19:4c:0c:a7:44:3b: c2:b8:43:10:d9:9a:65:6c:7c:50:00:9a:e3:69:21:d6:23:e0: 66:80:a1:18:50:ef:58:a5:49:90:fc:27:41:f7:4a:39:c4:0b: 5b:a4:8f:b6:d3:a1:6c:69:56:d9:13:96:0a:2a:32:48:fd:24: 9c:94:20:5b:74:d6:54:b6:18:ea:f1:6c:bc:ee:bf:f8:86:ac: 52:17:74:19:ce:f6:ae:ce:4d:84:a1:4f:99:06:ad:e7:29:a3: 09:96:e7:e7:81:3f:7f:59:2a:83:bb:f1:0b:a5:d5:0b:36:86: 4b:4d:d8:0c:67:1a:2a:5c:d1:a4:a1:4f:30:4f:c6:7b:7d:87: 39:f3:93:05:5e:69:24:e8:81:e0:18:82:9e:7c:18:9d:6d:10: 01:7a:08:e3 -----BEGIN CERTIFICATE----- MIIFLjCCBBagAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBqjELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhCcm9va2x5bjEUMBIGA1UEChMLTllDVGVs ZWNvbW0xFDASBgNVBAsTC05ZQ1RlbGVjb21tMRcwFQYDVQQDEw5OWUNUZWxlY29t bSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEkMCIGCSqGSIb3DQEJARYVYWRtaW5Abnlj dGVsZWNvbW0uY29tMB4XDTE1MDkxNDExMjYwMFoXDTI1MDkxMTExMjYwMFowgaQx CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMIQnJvb2tseW4xFDAS BgNVBAoTC05ZQ1RlbGVjb21tMRQwEgYDVQQLEwtOWUNUZWxlY29tbTERMA8GA1UE AxMIY2xpZW50MVAxEDAOBgNVBCkTB0Vhc3lSU0ExJDAiBgkqhkiG9w0BCQEWFWFk bWluQG55Y3RlbGVjb21tLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBALJvXdwUtnLRgEI0TRR9FLDG2lDg6H+9tCiymDOfzdDBqXxvMdUXzRjPUNHr 7+qbyVQNA8J4Py1mi6Ubujko8aie5greVrzAGqtxku13LW9dHhMTYCoIlHZJ0LD3 qDxu8KNKlSUKFfRjh2RdcA2jiQj44Yhy1Hxrt8toVe27I3PyVJx8A3/FJCC60t7r n+csbEXmCfmvbbXjnW+lN3739sPY/JHdfgzBECNEIxxq7gXNvWrUFD5x9EAShQ1v MwkhNbomQsHwid0eg07kMXPjG3tor21f/aBfZCRrURm9ymBH8g+m9T6dlJDxg1oh Ao7r7kWOk/DMwtpsMlEwmLMMXdkCAwEAAaOCAWEwggFdMAkGA1UdEwQCMAAwLQYJ YIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV HQ4EFgQUPZReCbNv4O+wPT5ATa0v3DxShpAwgd8GA1UdIwSB1zCB1IAUJ2v4gCNk Dn0f0R6AWllrnDCeJH2hgbCkga0wgaoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJO WTERMA8GA1UEBxMIQnJvb2tseW4xFDASBgNVBAoTC05ZQ1RlbGVjb21tMRQwEgYD VQQLEwtOWUNUZWxlY29tbTEXMBUGA1UEAxMOTllDVGVsZWNvbW0gQ0ExEDAOBgNV BCkTB0Vhc3lSU0ExJDAiBgkqhkiG9w0BCQEWFWFkbWluQG55Y3RlbGVjb21tLmNv bYIJAMDi1PIJghxnMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAN BgkqhkiG9w0BAQsFAAOCAQEA3RVwEmfGiPrG9gEWVN/H4e507gB1EfxwdhaQVFob T45pxcNEf3mbn5gBcSrsWRU/PSe5nQ/OzNEFG6H3MPPpzDe7k0jnFM43A+7F2M27 77K585SmeyNJFsePc++F+YrVmCS/rzPwGUwMp0Q7wrhDENmaZWx8UACa42kh1iPg ZoChGFDvWKVJkPwnQfdKOcQLW6SPttOhbGlW2ROWCioySP0knJQgW3TWVLYY6vFs vO6/+IasUhd0Gc72rs5NhKFPmQat5ymjCZbn54E/f1kqg7vxC6XVCzaGS03YDGca KlzRpKFPME/Ge32HOfOTBV5pJOiB4BiCnnwYnW0QAXoI4w== -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- mmmmmyyyyy ppppprrrriiiivvvaaatttteeee kkkkeeeeyyyy yyyyyooouuuurrrr nnnnooootttt ssuuuuppppoossseeeddd tttttooo ssseeeeee -----END PRIVATE KEY----- </key> <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 86ba44e5a40fb955687e62db59b7c747 6f71fc10c8a72eec1be7f4785d7700ee cd88530490853a441666dcf1423d52c2 b22ff5d7f9abc4cfad581e8c4e5537da 3fd2d20901e5388efb7c4c9898ae1b42 3a74dcfb77352bd2d711a01d1d8e8382 ebc267eaec22ae0c027bd0f25ae6f0a6 b66a514c96078fc8f4437e98b778b202 9fbc3cda8325130570959bb729cdf325 307df71569aa4a1ef91a9c15ed2dc67f c0491568e0c20f1e64b79f774fef764f b9f56aa05b69f21cd2b5bc343c6ab645 8e4dd75a122c5418c3f005440f6de858 0dba19cc250a8f6da7c1302c8944f2b6 4b909dce9b8bf4721272e93f50573f4d 97517e2ec05d227a6a73f81292d866ce -----END OpenVPN Static key V1----- </tls-auth> output from client: PS C:\Program Files\OpenVPN\config> openvpn --config .\client1r.ovpn Mon Sep 14 10:44:05 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015 Mon Sep 14 10:44:05 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08 Mon Sep 14 10:44:06 2015 Control Channel Authentication: tls-auth using INLINE static key file Mon Sep 14 10:44:06 2015 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Mon Sep 14 10:44:06 2015 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Mon Sep 14 10:44:06 2015 Socket Buffers: R=[65536->65536] S=[65536->65536] Mon Sep 14 10:44:06 2015 UDPv4 link local: [undef] Mon Sep 14 10:44:06 2015 UDPv4 link remote: [AF_INET]108.61.175.20:1194 Mon Sep 14 10:45:06 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Sep 14 10:45:06 2015 TLS Error: TLS handshake failed Mon Sep 14 10:45:06 2015 SIGUSR1[soft,tls-error] received, process restarting Mon Sep 14 10:45:06 2015 Restart pause, 2 second(s) Mon Sep 14 10:45:08 2015 Socket Buffers: R=[65536->65536] S=[65536->65536] Mon Sep 14 10:45:08 2015 UDPv4 link local: [undef] Mon Sep 14 10:45:08 2015 UDPv4 link remote: [AF_INET]108.61.175.20:1194 Mon Sep 14 10:46:08 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Oddly, the Win10 testing client has 2 really weird errors that are probably not related but are worth mentioning. A packet capture from the client looks pretty unhealthy http://i.imgur.com/N45bHtv.png And if I change the inline keys to files, I get a 'file does not exist' error for the client.crt and the client.key, even if I put them in c:\ We were beating the client up until a couple of people tried the server and found that it wasn't properly responding. All systems have been properly updated. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-203111-13>