[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] tls-verify does not work

  • Subject: Re: [Openvpn-users] tls-verify does not work
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Thu, 5 Aug 2004 05:30:14 -0000
Vladimir Ilic <vladojko@xxxxxxxxx> said:

> Hello,
> 
> In OpenVPN 2.0 beta8 and beta9, --tls-verify command does not seem to work 
> properly. I made small script, and no matter what it returns, 0 or 1 or 
> nothing or something else, my client is allowed to authenticate to the server 
> if it present valid certificate.
> 
> On the other hand, --tls-remote config options works fine...
> 
> Did anyone else notice such behaviour?

--tls-verify works fine for me on beta10.  Try this simple loopback test,
based on the test described in the INSTALL file (this test can be performed by
running both server and client commands simultaneously from two shell prompts
on the same machine).  Note that we take advantage of the 'false' shell
command to pass a 0 to tls-verify.

SERVER SIDE
-----------

evo:~/openvpn/exp/openvpn # ./openvpn --config
sample-config-files/loopback-server --tls-verify false
Thu Aug  5 00:19:31 2004 OpenVPN 2.0_beta10 i686-suse-linux [SSL] [LZO]
[EPOLL] built on Aug  2 2004
Thu Aug  5 00:19:31 2004 Diffie-Hellman initialized with 1024 bit key
Thu Aug  5 00:19:31 2004 WARNING: file 'sample-keys/server.key' is group or
others accessible
Thu Aug  5 00:19:31 2004 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0
ET:0 EL:0 ]
Thu Aug  5 00:19:31 2004 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:0
ET:0 EL:0 ]
Thu Aug  5 00:19:31 2004 Local Options hash (VER=V4): '0b2b92a2'
Thu Aug  5 00:19:31 2004 Expected Remote Options hash (VER=V4): '914df5fc'
Thu Aug  5 00:19:31 2004 UDPv4 link local (bound): 127.0.0.1:16000
Thu Aug  5 00:19:31 2004 UDPv4 link remote: 127.0.0.1:16001
Thu Aug  5 00:19:31 2004 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Thu Aug  5 00:19:34 2004 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Thu Aug  5 00:19:34 2004 TLS: Initial packet from 127.0.0.1:16001,
sid=24d4c7a5 57ecd7ff
Thu Aug  5 00:19:34 2004 VERIFY SCRIPT ERROR: depth=1,
/C=US/ST=CO/L=Denver/O=NTLP/CN=Test-CA/emailAddress=jim@xxxxxxxx
Thu Aug  5 00:19:34 2004 TLS_ERROR: BIO read tls_read_plaintext error:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Thu Aug  5 00:19:34 2004 TLS Error: TLS object -> incoming plaintext read error
Thu Aug  5 00:19:34 2004 TLS Error: TLS handshake failed

CLIENT SIDE
-----------

evo:~/openvpn/exp/openvpn # ./openvpn --config sample-config-files/loopback-client
Thu Aug  5 00:19:34 2004 OpenVPN 2.0_beta10 i686-suse-linux [SSL] [LZO]
[EPOLL] built on Aug  2 2004
Thu Aug  5 00:19:34 2004 WARNING: file 'sample-keys/client.key' is group or
others accessible
Thu Aug  5 00:19:34 2004 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0
ET:0 EL:0 ]
Thu Aug  5 00:19:34 2004 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:0
ET:0 EL:0 ]
Thu Aug  5 00:19:34 2004 Local Options hash (VER=V4): '914df5fc'
Thu Aug  5 00:19:34 2004 Expected Remote Options hash (VER=V4): '0b2b92a2'
Thu Aug  5 00:19:34 2004 UDPv4 link local (bound): 127.0.0.1:16001
Thu Aug  5 00:19:34 2004 UDPv4 link remote: 127.0.0.1:16000
Thu Aug  5 00:19:34 2004 TLS: Initial packet from 127.0.0.1:16000,
sid=4266a8c6 774097db
Thu Aug  5 00:19:34 2004 VERIFY OK: depth=1,
/C=US/ST=CO/L=Denver/O=NTLP/CN=Test-CA/emailAddress=jim@xxxxxxxx
Thu Aug  5 00:19:34 2004 VERIFY OK: depth=0,
/C=US/ST=CO/O=NTLP/CN=Test-Server/emailAddress=jim@xxxxxxxx
[doesn't authenticate]

Now change "--tls-verify false" to "--tls-verify true" and both sides
authenticate.

James


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users