OpenVPN client cert generate problem

  • wlaszi

    wlaszi - 2010-12-31


    I can't connect to my VPN server with the XCA generated cert files…
    My server log said:
    Dec 28 17:17:47 coyote2 daemon.err openvpn: TLS_ERROR: BIO read tls_read_plaintext error: error:0D11A0A2:asn1 encoding routines:ASN1_mbstring_copy:unknown format
    Dec 28 17:17:47 coyote2 daemon.err openvpn: TLS Error: TLS object -> incoming plaintext read error
    Dec 28 17:17:47 coyote2 daemon.err openvpn: TLS Error: TLS handshake failed

    I try to us my "easy-rsa cert's" template, reuse their key, csr but I always get the same error
    I tried import and export to file my easy-rsa created certs, and they work properly, so it cannot be export problem…
    As I can compare the contents of the certs (XCA vs EasyRSA) is no difference…but somehow the results is not the same :(
    The XCA generated server certs works fine…just client certs has problems.

    Any ideas to solved this?

  • Christian Hohnstaedt

    The message: "ASN1_mbstring_copy:unknown format" indicates a problematic string-type.

    If you look at the details of the 2 certificates in XCA, leave your mouse over the subject name entries.
    The Tooltip shows the string type like UTF8STRING or PRINTABLESTRING.

    Can you see differences between the easy-rsa and XCA certs there?

  • wlaszi

    wlaszi - 2011-01-02

    Thank you Chris!

    The string type was different while the openssl.cnf string_mask  was set to nombstr…but the xca default stringtype is utf8… if I set to T61 for example, the selfed generated certs works…great! :)

  • Christian Hohnstaedt

    Do you have an idea, why the UTF8 strings do not work on the client side?
    What versions do the openvpn and openssl versions on the client have and what OS is it running on ?

  • wlaszi

    wlaszi - 2011-01-02

    In the openssl.cnf parameter "string_mask = nombstr" is the default. Because this, the server masked out my utf8 strings…Im not certain of it, but maybe this is a depreciated thing…

    OpenVPN 2.1.4,+ OpenSSL 0.9.80 @ Win7


Log in to post a comment.