Page 1 of 3 123 LastLast
Results 1 to 10 of 26
  1. #1
    Untangler
    Join Date
    Mar 2013
    Posts
    33

    Default OpenVPN from Linux Mint 19 fails - TLS handshake failed

    I'm trying to connect to an Untangle 14.2.2 firewall (running on Atom hardware) using OpenVPN 2.4.4 from a Linux Mint 19 (AMD64) system. I'm seeing the UDP connection attempt increment on the firewall, but no connection is established. The log file on the Mint box shows:
    Code:
    Nov 18 07:41:21 mailtest-offs systemd[1]: Started OpenVPN tunnel for ghla.
    Nov 18 07:41:21 mailtest-offs openvpn[13920]: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=CO, ST=ST, O=O, OU=OU, CN=server, dnQualifier=server
    Nov 18 07:41:21 mailtest-offs openvpn[13920]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
    Nov 18 07:41:21 mailtest-offs openvpn[13920]: TLS_ERROR: BIO read tls_read_plaintext error
    Nov 18 07:41:21 mailtest-offs openvpn[13920]: TLS Error: TLS object -> incoming plaintext read error
    Nov 18 07:41:21 mailtest-offs openvpn[13920]: TLS Error: TLS handshake failed
    Nov 18 07:41:21 mailtest-offs openvpn[13920]: SIGUSR1[soft,tls-error] received, process restarting
    Nov 18 07:41:26 mailtest-offs openvpn[13920]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
    Nov 18 07:41:26 mailtest-offs openvpn[13920]: TCP/UDP: Preserving recently used remote address: [AF_INET]--deleted--
    Nov 18 07:41:26 mailtest-offs openvpn[13920]: UDP link local: (not bound)
    Nov 18 07:41:26 mailtest-offs openvpn[13920]: UDP link remote: [AF_INET]--deleted--
    Nov 18 07:41:27 mailtest-offs openvpn[13920]: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=CO, ST=ST, O=O, OU=OU, CN=server, dnQualifier=server
    Nov 18 07:41:27 mailtest-offs openvpn[13920]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
    Nov 18 07:41:27 mailtest-offs openvpn[13920]: TLS_ERROR: BIO read tls_read_plaintext error
    Nov 18 07:41:27 mailtest-offs openvpn[13920]: TLS Error: TLS object -> incoming plaintext read error
    Nov 18 07:41:27 mailtest-offs openvpn[13920]: TLS Error: TLS handshake failed
    Nov 18 07:41:27 mailtest-offs openvpn[13920]: SIGUSR1[soft,tls-error] received, process restarting
    Lather, rinse, repeat. Basically it looks like the Mint instance is refusing to connect to the Untangle firewall because the firewall certificates are using the cracked SHA-1 digest. Is it possible to force the Untangle firewall to use (for instance) SHA-256 for its certificates? If not, what sort fof time-frame are we looking at for an update?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,397

    Default

    Yes, we don't update the certificate on upgrade since it will break existing OpenVPN clients. To upgrade the certificate, remove OpenVPN, reinstall it and add all the clients back in manually.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Mar 2013
    Posts
    33

    Default

    Oh. bother, said Pooh. Well, since I'd have to recreate them all anyway, if there was an automatic update, I suppose it's the best of a bad few choices...

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,397

    Default

    Yeah, sometimes the choices for upgrade path are going to hurt either way.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,029

    Default

    While you're redoing that, you might consider hitting up the advanced tab and excluding the server and client compression directives. Otherwise mobile OpenVPN clients will complain... and well... since the OpenVPN devs will be yanking compression support entirely at some point, it might just save you another nuke and pave.
    jcoffin and wbennett77 like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangler
    Join Date
    Mar 2013
    Posts
    33

    Default

    It's looking like I might have some other troubles anyway. What I want to do is have full tunnel with DNS provided by the DC at the far end of the tunnel (as required for Windows domains), but I've specified push DNS to that server (push DNS, custom, a.a.a.a where the last is the IP address of the DC, Push DNS Domain set to internal domain name). The connection establishes, I can ping the remote net by IP, but DNS won't resolve anything on the remote network, and the client says
    Code:
    Options error: unrecognized option or extra or missing parameters in PUSH_OPTIONS:1: register-dns (2.4.4)
    Any thoughts on that one?

    Edit: With logging verbosity set to 4, here's the relevant part of the log:
    Code:
    Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
    [server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
    SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    PUSH: Received control message: 'PUSH_REPLY,register-dns,route 10.2.0.0 255.255.252.0,route 172.16.228.0 255.255.255.0,topology net30,ping 10,ping-restart 60,redirect-gateway def1,dhcp-option DNS 10.2.1.196,dhcp-option DOMAIN something.local,ifconfig 172.16.228.6 172.16.228.5,peer-id 1,cipher AES-256-GCM'
    Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: register-dns (2.4.4)
    For what it's worth, the DNS server is 10.2.1.196 in network 10.2.0.0/22, and the Untangle firewall is at 10.2.1.1.
    Last edited by chazz; 11-18-2019 at 03:22 PM. Reason: more verbose log file

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,029

    Default

    Oh that's easy, Windows firewall on your DC is being a pain. Easy solution though, go get your address pool range out of the OpenVPN module, and make an entry for it in Active Directory Sites and Services.

    Once the OpenVPN address pool range is in there, it'll be accepted by the domain firewall profile of all domain member machines and you're back in business.

    You probably have an address pool range in there already, so you might consider just updating it with the new range. Untangle randomizes that pool a bit every time the module is installed.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangler
    Join Date
    Mar 2013
    Posts
    33

    Default

    Alas, not so easy. I have added that range to the subnet list in AD Sites And Services and I'm still getting the same error.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,029

    Default

    How long did you wait? It takes time for Group Policy to propagate. 30min + or - 15min, so it's about time to test NOW actually.

    Unless you only have 1 DC and you did gpupdate /force on the DC after the change?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangler
    Join Date
    Mar 2013
    Posts
    33

    Default

    Nobody tells me these things... I sort of have to fumble through as best I can. And seeing as we're looking at one server on one network, propagation honestly shouldn't be an issue. But I bow to your expertise... unfortunately, we still get the same error even now after... 48 minutes.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2