A number of people were bit by this during years and I still dont't have a cut&paste fix for this. ;-) For openvpn, you need to generate server and client certificates. That means in the questionarie given to you by openssl you have to set in the field commonName "server" or "client" values (seems "client1, etc. is also accepted"). There is wrapper to do that for users, called easy-rsa/build-key. The problem is the certificates it generates for you are refused by openvpn on the client itself: May 17 04:01:17 vrapenec openvpn[26086]: VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=CZ/ST=CZ/L=Prague/O=Org__Dept/CN=client/emailAddress=me@foo.bar May 17 04:01:17 vrapenec openvpn[26086]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed May 17 04:01:17 vrapenec openvpn[26086]: TLS Error: TLS object -> incoming plaintext read error May 17 04:01:17 vrapenec openvpn[26086]: TLS Error: TLS handshake failed May 17 04:01:17 vrapenec openvpn[26086]: Fatal TLS error (check_tls_errors_co), restarting In principle the certificate is correct: # openssl verify -CAfile keys/ca.crt -purpose sslclient keys/client.crt keys/client.crt: OK # Gowever, a number of people realized that some sections of it are wrong, or erroneously included. http://www.openldap.org/lists/openldap-software/200704/msg00278.html http://gozer.ectoplasm.org/blog/archive/2007/07/openvpn-verify.html # openssl x509 -in keys/client.crt -text -noout [cut] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: Easy-RSA Generated Certificate X509v3 Subject Key Identifier: C7:8F:FE:CE:EF:B2:1D:8C:E4:36:0F:14:4E:1C:2C:7F:40:68:B5:01 X509v3 Authority Key Identifier: keyid:17:88:53:F2:AA:60:86:9F:3C:5C:6F:C5:53:64:08:59:FE:38:92:8E DirName:/C=CZ/ST=CZ/L=Prague/O=Org, Dept/OU=blah/CN=OpenVPN-CA/emailAddress=me@foo.bar serial:F6:14:52:AA:3E:DA:85:E8 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Now the question is. What is broken in easy-rsa scripts or what changed in openssl or openvpn so that it is too strict or that it includes something wrong? I played a bit more with the template openssl.conf file. Another, a bit more informative message I got was: May 17 14:33:20 vrapenec openvpn[21477]: Validating certificate key usage May 17 14:33:20 vrapenec openvpn[21477]: ++ Certificate has key usage 0080, expects 00a0 May 17 14:33:20 vrapenec openvpn[21477]: ++ Certificate has key usage 0080, expects 0088 May 17 14:33:20 vrapenec openvpn[21477]: VERIFY KU ERROR May 17 14:33:20 vrapenec openvpn[21477]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed May 17 14:33:20 vrapenec openvpn[21477]: TLS Error: TLS object -> incoming plaintext read error May 17 14:33:20 vrapenec openvpn[21477]: TLS Error: TLS handshake failed Finally, I got it right: May 17 14:39:21 vrapenec openvpn[21675]: Validating certificate key usage May 17 14:39:21 vrapenec openvpn[21675]: ++ Certificate has key usage 00a0, expects 00a0 May 17 14:39:21 vrapenec openvpn[21675]: VERIFY KU OK May 17 14:39:21 vrapenec openvpn[21675]: Validating certificate extended key usage May 17 14:39:21 vrapenec openvpn[21675]: ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication May 17 14:39:21 vrapenec openvpn[21675]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication May 17 14:39:21 vrapenec openvpn[21675]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication May 17 14:39:21 vrapenec openvpn[21675]: VERIFY EKU OK May 17 14:39:21 vrapenec openvpn[21675]: VERIFY OK: depth=0, /C=CZ/L=Prague/O=Org__Dept/CN=client/emailAddress=me@foo.bar --- /usr/share/openvpn/easy-rsa/openssl.cnf 2010-05-17 06:50:24.000000000 +0200 +++ openssl.cnf 2010-05-17 14:36:05.000000000 +0200 @@ -193,8 +193,9 @@ # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always -extendedKeyUsage=clientAuth -keyUsage = digitalSignature +extendedKeyUsage=clientAuth,serverAuth +#extendedKeyUsage=clientAuth,serverAuth,ipsecUser,ipsecTunnel,ipsecEndSystem +keyUsage = digitalSignature, keyEncipherment # This stuff is for subjectAltName and issuerAltname. # Import the email address.
Created attachment 234549 [details, diff] openssl.cf Originally I had this patch, but if I remember right the one posted into the initial posting was sufficient. However, this might give you come clues what I tried to do.
This was apparently discussed on the openvpn mailing lists, where a similar patch was rejected, so we'll definitely not put this in gentoo. http://thread.gmane.org/gmane.network.openvpn.devel/3703
The thread is not complete for some reason. Here is the one with recent follow-up: http://sourceforge.net/mailarchive/forum.php?thread_name=4C74C387.2090609%40ribosome.natur.cuni.cz&forum_name=openvpn-devel I used keys generated for me by one of the developers and the keys could not be used on my Gentoo boxes.
You can fight this out with the current easyrsa developers (it has been split out of OpenVPN), I really don't want to take any changes on our side.
