I have installed OpenVPN server on CentOS. I have two clients – first under CentOS (all works), and trying connect Windows client now.
I generated client's certificates with build-key utility.
If I check it on server's side – all seems to be OK:
# openssl verify -CAfile /etc/openvpn/clients/setevoy/ca.crt /etc/openvpn/clients/setevoy/setevoy.crt
/etc/openvpn/clients/setevoy/setevoy.crt: OK
But – when I check same certificates under Windows – got error:
$ openssl verify -CAfile ca.crt setevoy.crt
setevoy.crt: /C=UA/ST=CA/L=Kiev/O=Fort-Funston/OU=MyOrganizationalUnit/CN=venti.setevoy.org.ua/name=openvpn_root/emailAddress=root@setevoy.org.ua
error 7 at 1 depth lookup:certificate signature failure
Files seems to be identical on server (from where I copied them) and on Windows client (where they are placed in c/Program Files (x86)/OpenVPN/config:
# md5sum /etc/openvpn/clients/setevoy/ca.crt
53984cf44daffb708cdb937fa3d30438 /etc/openvpn/clients/setevoy/ca.crt
$ md5sum ca.crt
53984cf44daffb708cdb937fa3d30438 *ca.crt
# md5sum /etc/openvpn/clients/setevoy/setevoy.crt
c818d312e58db514a9a2afae4c687241 /etc/openvpn/clients/setevoy/setevoy.crt
$ md5sum setevoy.crt
c818d312e58db514a9a2afae4c687241 *setevoy.crt
I assume, something wrong with Windows OpenSSL mechanism… Or something similar issue:
$ head setevoy.crt | grep Signature
Signature Algorithm: sha256WithRSAEncryption
Then, when I try start OpenVNP GUI – got error:
Wed Dec 17 11:44:25 2014 TLS_ERROR: BIO read tls_read_plaintext error:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed Wed Dec 17 11:44:25 2014 TLS Error: TLS object ->
incoming plaintext read error Wed Dec 17 11:44:25 2014 TLS Error: TLS
handshake failed
UPD
On server:
# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
and on Windows client:
$ openssl.exe version
OpenSSL 0.9.7l 28 Sep 2006
UPD 2
I upgraded OpenSSL for OpenVPN GUI, now it's 1.0.1, and verify works:
$ ../bin/openssl.exe version
OpenSSL 1.0.1j 15 Oct 2014
$ ../bin/openssl.exe verify -CAfile ca.crt setevoy.crt
setevoy.crt: OK
But – I still can't connect, with same error in log.
I also installed new CentOS server, just for testing, and OpenVPN client there – all works. Problem with Windows client only.
Best Answer
OpenSSL 0.9.7 is WAY old and does not support SHA256, and therefore cannot verify your server's cert. You must either upgrade the client OpenSSL to at least 0.9.8 (which isn't binary compatible thus probably requires recompiling, or obtaining a different compilation of, OpenVPN), OR change to a server cert signed with SHA1-RSA.
"SHA1 is bad": Browsers and CAs on the public web, who drive most SSL/TLS usage, are forcefully phasing out SHA1-signed certs because they are expected to soon come in reach of collision attacks. But VPNs are (usually) a controlled situation where you run the CA and there are only a modest number of clients and you know them in advance; then you don't need to worry about collision attack and SHA1 is adequately secure -- as long as you aren't subject to some regulation or policy that just forbids SHA1 to be on the safe side and you can't get a waiver.
How? I don't know where OpenVPN/easy-rsa sets the parameters OpenSSL uses for certsigning (it could be in a CONF file or on the commandline and either way could use an envvar); marked community so anyone can easily help. If no one does and you point to specific version or download I can take a look.
PS- it might help if you tag openvpn specifically instead of vpn.