You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for the tip, I regeneretad the certificates with RSA 2048, and it's working ok now.
I just wonder, why openssl still accepts it.
Anyway, we can close this.
Hi, I'm having the same issue after switching from openssl to mbedtls.
I regenerated certificates with 2048length, and now the CA cert is ok, but now I get get a validation error on the client cert:
"The certificate is signed with an unacceptable hash."
On the client side (running an openssl version) the server certificate is successfully validated
duvi:
On the same configuration, same system, same certificates, openvpn-mbedtls can not verify the certificate, but openvpn-openssl is working ok.
Notice the "??=vma", how openvpn-mbedtls doesn't recognize the "name" field in the certificate. Maybe that is the problem.
I have the same suboptions enabled in "make menuconfig" in both cases.
openvpn-mbedtls:
Fri Jan 13 23:05:58 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]my.ser.ver.ip:1194
Fri Jan 13 23:05:58 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Jan 13 23:05:58 2017 UDP link local (bound): [AF_INET][undef]:1194
Fri Jan 13 23:05:58 2017 UDP link remote: [AF_INET]my.ser.ver.ip:1194
Fri Jan 13 23:05:58 2017 TLS: Initial packet from [AF_INET]my.ser.ver.ip:1194, sid=75e238e0 c51819f1
Fri Jan 13 23:05:58 2017 VERIFY ERROR: depth=0, subject=C=HU, ST=BA, L=Pecs, O=Duvinet, OU=vma, CN=my.server.dns, ??=vma, emailAddress=myemail@mydomain.hu: The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
Fri Jan 13 23:05:58 2017 TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Fri Jan 13 23:05:58 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 13 23:05:58 2017 TLS Error: TLS handshake failed
Fri Jan 13 23:05:58 2017 SIGUSR1[soft,tls-error] received, process restarting
openvpn-openssl:
Tue Jan 17 09:36:06 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]my.ser.ver.ip:1194
Tue Jan 17 09:36:06 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
Tue Jan 17 09:36:06 2017 UDP link local (bound): [AF_INET][undef]:1194
Tue Jan 17 09:36:06 2017 UDP link remote: [AF_INET]my.ser.ver.ip:1194
Tue Jan 17 09:36:06 2017 TLS: Initial packet from [AF_INET]my.ser.ver.ip:1194, sid=3fc0a62c be2ce0f4
Tue Jan 17 09:36:06 2017 VERIFY OK: depth=1, C=HU, ST=BA, L=Pecs, O=Duvinet, OU=vma, CN=my.server.dns, name=vma, emailAddress=myemail@mydomain.hu
Tue Jan 17 09:36:06 2017 Validating certificate key usage
Tue Jan 17 09:36:06 2017 ++ Certificate has key usage 00a0, expects 00a0
Tue Jan 17 09:36:06 2017 VERIFY KU OK
Tue Jan 17 09:36:06 2017 Validating certificate extended key usage
Tue Jan 17 09:36:06 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jan 17 09:36:06 2017 VERIFY EKU OK
The text was updated successfully, but these errors were encountered: