Menu
▾
▴
[Openvpn-users] OpenVPN with self-signed certificates
|
From: Marc H. <mh+...@zu...> - 2008-05-14 15:14:08
|
I am running a quite small installation of OpenVPN, mainly for testing purposes. The keys were built on Debian unstable in early 2007, so I can bin the PKI I built back then. In the mean time, I have found out that I need to keep local configuration for each of my client anyway (for example, to configure the client's VPN ip address), and reckoned that I can save myself the hassle of running a PKI but instead putting the client's certificate into the client configuration. I built self-signed certificates for the server (that one having nsCertType=server) and for the client, both of them with basicConstraints=CA:TRUE. The server: /etc/openvpn/server.conf ca server.crt cert server.crt key server.key client-config-dir client-config-dir /etc/openvpn/client-config-dir/client ca "/etc/openvpn/client-cert-dir/client" /etc/openvpn/client-cert-dir/client holds the client's certificate. The client: ca server.crt cert client.crt key client.key Openvpn on the server starts up just fine, but the client doesn't seem to like the certificate presented by the server: May 14 16:26:42 scyw00225 ovpn-zg2-client[32337]: TLS: Initial packet from <server>:1194, sid=8c687ee0 79f9160d May 14 16:26:42 scyw00225 ovpn-zg2-client[32337]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=DE/O=example.com/CN=server.example.com/emailAddress=mh_...@ex... May 14 16:26:42 scyw00225 ovpn-zg2-client[32337]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed May 14 16:26:42 scyw00225 ovpn-zg2-client[32337]: TLS Error: TLS object -> incoming plaintext read error May 14 16:26:42 scyw00225 ovpn-zg2-client[32337]: TLS Error: TLS handshake failed May 14 16:26:42 scyw00225 ovpn-zg2-client[32337]: TCP/UDP: Closing socket I am wondering what I may be doing wrong. Does the client identify itself before the SSL handshake takes place? Is it possible in the first place that the server can look into the correct client-cert-file at this time of the handshake? Any hints will be appreciated. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 |
