Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

OpenVPN client cert generate problem

Help
wlaszi
2010-12-31
2013-03-09
  • wlaszi
    wlaszi
    2010-12-31

    Hi!

    I can't connect to my VPN server with the XCA generated cert files…
    My server log said:
    Dec 28 17:17:47 coyote2 daemon.err openvpn: 80.xx.xxx.xx:57038 TLS_ERROR: BIO read tls_read_plaintext error: error:0D11A0A2:asn1 encoding routines:ASN1_mbstring_copy:unknown format
    Dec 28 17:17:47 coyote2 daemon.err openvpn: 80.xx.xxx.xx::57038 TLS Error: TLS object -> incoming plaintext read error
    Dec 28 17:17:47 coyote2 daemon.err openvpn: 80.xx.xxx.xx::57038 TLS Error: TLS handshake failed

    I try to us my "easy-rsa cert's" template, reuse their key, csr but I always get the same error
    I tried import and export to file my easy-rsa created certs, and they work properly, so it cannot be export problem…
    As I can compare the contents of the certs (XCA vs EasyRSA) is no difference…but somehow the results is not the same :(
    The XCA generated server certs works fine…just client certs has problems.

    Any ideas to solved this?

     
  • The message: "ASN1_mbstring_copy:unknown format" indicates a problematic string-type.

    If you look at the details of the 2 certificates in XCA, leave your mouse over the subject name entries.
    The Tooltip shows the string type like UTF8STRING or PRINTABLESTRING.

    Can you see differences between the easy-rsa and XCA certs there?

     
  • wlaszi
    wlaszi
    2011-01-02

    Thank you Chris!

    The string type was different while the openssl.cnf string_mask  was set to nombstr…but the xca default stringtype is utf8… if I set to T61 for example, the selfed generated certs works…great! :)

     
  • Do you have an idea, why the UTF8 strings do not work on the client side?
    What versions do the openvpn and openssl versions on the client have and what OS is it running on ?

     
  • wlaszi
    wlaszi
    2011-01-02

    In the openssl.cnf parameter "string_mask = nombstr" is the default. Because this, the server masked out my utf8 strings…Im not certain of it, but maybe this is a depreciated thing…

    OpenVPN 2.1.4,+ OpenSSL 0.9.80 @ Win7