openvpn-mbedtls can not verify certificate
Username: duvi
Origin: https://bugs.openwrt.org/index.php?do=details&task_id=405
On the same configuration, same system, same certificates, openvpn-mbedtls can not verify the certificate, but openvpn-openssl is working ok.
Notice the “??=vma”, how openvpn-mbedtls doesn’t recognize the “name” field in the certificate. Maybe that is the problem.
I have the same suboptions enabled in “make menuconfig” in both cases.
openvpn-mbedtls:
Fri Jan 13 23:05:58 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]my.ser.ver.ip:1194 Fri Jan 13 23:05:58 2017 Socket Buffers: R=[163840->163840] S=[163840->163840] Fri Jan 13 23:05:58 2017 UDP link local (bound): [AF_INET][undef]:1194 Fri Jan 13 23:05:58 2017 UDP link remote: [AF_INET]my.ser.ver.ip:1194 Fri Jan 13 23:05:58 2017 TLS: Initial packet from [AF_INET]my.ser.ver.ip:1194, sid=75e238e0 c51819f1 Fri Jan 13 23:05:58 2017 VERIFY ERROR: depth=0, subject=C=HU, ST=BA, L=Pecs, O=Duvinet, OU=vma, CN=my.server.dns, ??=vma, emailAddress=myemail@mydomain.hu: The certificate is signed with an unacceptable key (eg bad curve, RSA too short). Fri Jan 13 23:05:58 2017 TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed Fri Jan 13 23:05:58 2017 TLS Error: TLS object -> incoming plaintext read error Fri Jan 13 23:05:58 2017 TLS Error: TLS handshake failed Fri Jan 13 23:05:58 2017 SIGUSR1[soft,tls-error] received, process restarting
openvpn-openssl:
Tue Jan 17 09:36:06 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]my.ser.ver.ip:1194 Tue Jan 17 09:36:06 2017 Socket Buffers: R=[163840->163840] S=[163840->163840] Tue Jan 17 09:36:06 2017 UDP link local (bound): [AF_INET][undef]:1194 Tue Jan 17 09:36:06 2017 UDP link remote: [AF_INET]my.ser.ver.ip:1194 Tue Jan 17 09:36:06 2017 TLS: Initial packet from [AF_INET]my.ser.ver.ip:1194, sid=3fc0a62c be2ce0f4 Tue Jan 17 09:36:06 2017 VERIFY OK: depth=1, C=HU, ST=BA, L=Pecs, O=Duvinet, OU=vma, CN=my.server.dns, name=vma, emailAddress=myemail@mydomain.hu Tue Jan 17 09:36:06 2017 Validating certificate key usage Tue Jan 17 09:36:06 2017 ++ Certificate has key usage 00a0, expects 00a0 Tue Jan 17 09:36:06 2017 VERIFY KU OK Tue Jan 17 09:36:06 2017 Validating certificate extended key usage Tue Jan 17 09:36:06 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Tue Jan 17 09:36:06 2017 VERIFY EKU OK