[Openvpn-users] Certificate does not have key usage extension

[John E. <joh...@ya...>]

Sorry to bother the list again... I've had openvpn running fine for some
time and have found answers to most of my questions either through a
book or through archives of the mail list.  This time, I am a bit stumped.

I blew away all of my certs and re-created them (server and client).  At
first, when I tried to connect, I was getting "Certificate does not have
key usage extension" in the client log, so I followed this post
http://openvpn.net/archive/openvpn-devel/2006-11/msg00024.html and added
the two lines to openssl.cnf.  When I created new certs I cannot
connect.  While the client logs look OK, the server clearly points to a
problem. Thing is, I only find a couple of posts on google that don't
seem to help.

server log:

    MULTI: multi_create_instance called
    Re-using SSL/TLS context
    LZO compression initialized
    Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu
    1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth
    SHA1,keysize 256,tls-auth,key-method 2,tls-server'
    Expected Remote Options String: 'V4,dev-type tun,link-mtu
    1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher
    AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
    Local Options hash (VER=V4): '162b04de'
    Expected Remote Options hash (VER=V4): '9e7066d2'
    TLS: Initial packet from 80.125.173.175:51984, sid=36169876 76ab0999
    VERIFY OK: depth=1,
    /C=XX/ST=XX/L=XXX/O=XXX/CN=OpenVPN-CA/emailAddress=XX...@XX...
    Certificate does not have key usage extension
    VERIFY KU ERROR
    TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL
    routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    TLS Error: TLS object -> incoming plaintext read error
    TLS Error: TLS handshake failed



client log:

    OpenVPN 2.2-beta5 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov
    30 2010
    NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call
    user-defined scripts or executables
    Control Channel Authentication: using 'folder/ta.key' as a OpenVPN
    static key file
    Outgoing Control Channel Authentication: Using 160 bit message hash
    'SHA1' for HMAC authentication
    Incoming Control Channel Authentication: Using 160 bit message hash
    'SHA1' for HMAC authentication
    LZO compression initialized
    Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Socket Buffers: R=[8192->8192] S=[8192->8192]
    Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu
    1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth
    SHA1,keysize 256,tls-auth,key-method 2,tls-client'
    Expected Remote Options String: 'V4,dev-type tun,link-mtu
    1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher
    AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
    Local Options hash (VER=V4): '9e7332d2'
    Expected Remote Options hash (VER=V4): '162141de'
    UDPv4 link local: [undef]
    UDPv4 link remote: <domain>:1194
    us=578000 TLS: Initial packet from <domain>:1194, sid=235a9fc1 911c541f
    VERIFY OK: depth=1,
    /C=XX/ST=XX/L=XXX/O=XXX/CN=OpenVPN-CA/emailAddress=XX...@XX...
    Validating certificate key usage
    ++ Certificate has key usage  00a0, expects 00a0
    VERIFY KU OK
    Validating certificate extended key usage
    ++ Certificate has EKU (str) TLS Web Server Authentication, expects
    TLS Web Server Authentication
    VERIFY EKU OK
    VERIFY OK: depth=0,
    /C=XX/ST=XX/O=AXXX/CN=server/emailAddress=XX...@XX...