At 09:09 AM 4/18/2016, you wrote:>On Mon, 18 Apr 2016, david wrote: > >>FOLLOWUP & REPORT >> >>I had lots of suggestions, and the most persuasive was to try >>OpenVPN. I already had a CA working, so issuing certificates was >>easy. The HOW-TO guides were less helpful than I could hope, but >>comparing several of them, applying common sense, and trying things >>out, I arrived at a dead-end. Here's essentially what happened: >> >>- None of the HOW-TOs were very clear about the need to add some >>attributes to a certificate, keyUsage and extendedKeyUsage. They >>had different values for server and client. OpenSSL documentation >>was a big vague on how to add them, but I think I did - the print >>out of the entity certificates showed the values. The attempt to >>connect failed. The client log is below. I think it's complaining >>that the CA certificate doesn't have the ke Usage extension, which >>makes no sense to me. Such an extension should be in the >>end-entity certificate, not the CA's, unless I'm wrong. I checked >>the server and really think that the certificates are in the right place. > >Here's how I managed that in my openssl.cnf file. Lots of bits >ellided for clarity's sake: > >### start ### >[ ca ] >default_ca = CA_default > >[ CA_default ] >x509_extensions = server_cert > >[ server_cert ] >basicConstraints=CA:FALSE >keyUsage = nonRepudiation, dataEncipherment, digitalSignature, keyEncipherment >extendedKeyUsage = serverAuth, clientAuth >nsCertType = server, client >### end ### > >I think the nsCertType directive may be unnecessary these days, but >I keep it around because it doesn't hurt anything. > >The important bit is the extendedKeyUsage line; I'm pretty sure that >an OpenVPN server needs the serverAuth extension. For instance, here >is the X509 extensions configuration for a server used by EasyRSA: > > basicConstraints = CA:FALSE > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid,issuer:always > extendedKeyUsage = serverAuth,clientAuth > keyUsage = digitalSignature,keyEncipherment > >You can ask openssl to tell you the purpose of a certificate: > >[bash]$ openssl x509 -noout -purpose -in cert.pem | grep SSL >SSL client : Yes >SSL client CA : No >SSL server : Yes >SSL server CA : No >Netscape SSL server : Yes >Netscape SSL server CA : No > >Anyway, those are the extensions that should do away with these errors: > >>Mon Apr 18 05:34:50 2016 VERIFY OK: depth=1, C=US, ST=California, >>L=San Francisco, OU=Certificate Authority, O=XXXX, CN=X.X.X >>Mon Apr 18 05:34:50 2016 Certificate does not have key usage extension > >-- >Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/Paul Two things... First, the diagnostic I got referenced the server's CA certificate. And that confuses me. Second, when I look server's purpose, using the openssl x509 -purpose command, I get: SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No When looking at the CLIENT's purpose, I get SSL client : Yes SSL client CA : No SSL server : No SSL server CA : No Netscape SSL server : No Netscape SSL server CA : No The difference between what I have and what you reported is that I've got SSL Client NO on the server, and SSL server NO on the client, which makes sense to me. The CA certificate itself, says: Certificate purposes: SSL client : Yes SSL client CA : Yes SSL server : Yes SSL server CA : Yes Netscape SSL server : Yes Netscape SSL server CA : Yes S/MIME signing : Yes S/MIME signing CA : Yes S/MIME encryption : Yes S/MIME encryption CA : Yes CRL signing : Yes CRL signing CA : Yes Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : Yes Time Stamp signing : No Time Stamp signing CA : Yes Advice would be appreciated. David
On Tue, 19 Apr 2016, david wrote:> > > > At 09:09 AM 4/18/2016, you wrote: >> On Mon, 18 Apr 2016, david wrote: >> >> > FOLLOWUP & REPORT >> > >> > I had lots of suggestions, and the most persuasive was to try OpenVPN. I >> > already had a CA working, so issuing certificates was easy. The HOW-TO >> > guides were less helpful than I could hope, but comparing several of >> > them, applying common sense, and trying things out, I arrived at a >> > dead-end. Here's essentially what happened: >> > >> > - None of the HOW-TOs were very clear about the need to add some >> > attributes to a certificate, keyUsage and extendedKeyUsage. They had >> > different values for server and client. OpenSSL documentation was a big >> > vague on how to add them, but I think I did - the print out of the entity >> > certificates showed the values. The attempt to connect failed. The >> > client log is below. I think it's complaining that the CA certificate >> > doesn't have the ke Usage extension, which makes no sense to me. Such an >> > extension should be in the end-entity certificate, not the CA's, unless >> > I'm wrong. I checked the server and really think that the certificates >> > are in the right place. >> >> Here's how I managed that in my openssl.cnf file. Lots of bits ellided for >> clarity's sake: >> >> ### start ### >> [ ca ] >> default_ca = CA_default >> >> [ CA_default ] >> x509_extensions = server_cert >> >> [ server_cert ] >> basicConstraints=CA:FALSE >> keyUsage = nonRepudiation, dataEncipherment, digitalSignature, >> keyEncipherment >> extendedKeyUsage = serverAuth, clientAuth >> nsCertType = server, client >> ### end ### >> >> I think the nsCertType directive may be unnecessary these days, but I keep >> it around because it doesn't hurt anything. >> >> The important bit is the extendedKeyUsage line; I'm pretty sure that an >> OpenVPN server needs the serverAuth extension. For instance, here is the >> X509 extensions configuration for a server used by EasyRSA: >> >> basicConstraints = CA:FALSE >> subjectKeyIdentifier = hash >> authorityKeyIdentifier = keyid,issuer:always >> extendedKeyUsage = serverAuth,clientAuth >> keyUsage = digitalSignature,keyEncipherment >> >> You can ask openssl to tell you the purpose of a certificate: >> >> [bash]$ openssl x509 -noout -purpose -in cert.pem | grep SSL >> SSL client : Yes >> SSL client CA : No >> SSL server : Yes >> SSL server CA : No >> Netscape SSL server : Yes >> Netscape SSL server CA : No >> >> Anyway, those are the extensions that should do away with these errors: >> >> > Mon Apr 18 05:34:50 2016 VERIFY OK: depth=1, C=US, ST=California, L=San >> > Francisco, OU=Certificate Authority, O=XXXX, CN=X.X.X >> > Mon Apr 18 05:34:50 2016 Certificate does not have key usage extension >> >> -- >> Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/ > > > Paul > Two things... > > First, the diagnostic I got referenced the server's CA certificate. > And that confuses me.I'm not sure that's actually what the log is indicating. I think there's a mismatch between what extensions the server certificate says it can provide and what the client is expecting. Can you provide the SSL/TLS parts of your client configuration? In particular, I expect you'll have a "remote-cert-tls server" directive. I'd suggest commenting that out (or replacing it with "ns-cert-type server") and trying again. If that succeeds, you'll probably need to review your CA configuration. -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
At 08:57 AM 4/19/2016, you wrote:>On Tue, 19 Apr 2016, david wrote: > >> >> >> >>At 09:09 AM 4/18/2016, you wrote: >>>On Mon, 18 Apr 2016, david wrote: >>> > FOLLOWUP & REPORT >>> > > I had lots of suggestions, and the most persuasive was to try >>> OpenVPN. I > already had a CA working, so issuing certificates >>> was easy. The HOW-TO > guides were less helpful than I could >>> hope, but comparing several of > them, applying common sense, and >>> trying things out, I arrived at a > dead-end. Here's essentially what happened: >>> > > - None of the HOW-TOs were very clear about the need to add >>> some > attributes to a certificate, keyUsage and >>> extendedKeyUsage. They had > different values for server and >>> client. OpenSSL documentation was a big > vague on how to add >>> them, but I think I did - the print out of the entity > >>> certificates showed the values. The attempt to connect >>> failed. The > client log is below. I think it's complaining >>> that the CA certificate > doesn't have the ke Usage extension, >>> which makes no sense to me. Such an > extension should be in the >>> end-entity certificate, not the CA's, unless > I'm wrong. I >>> checked the server and really think that the certificates > are >>> in the right place. >>>Here's how I managed that in my openssl.cnf file. Lots of bits >>>ellided for clarity's sake: >>>### start ### >>>[ ca ] >>>default_ca = CA_default >>>[ CA_default ] >>>x509_extensions = server_cert >>>[ server_cert ] >>>basicConstraints=CA:FALSE >>>keyUsage = nonRepudiation, dataEncipherment, digitalSignature, >>>keyEncipherment >>>extendedKeyUsage = serverAuth, clientAuth >>>nsCertType = server, client >>>### end ### >>>I think the nsCertType directive may be unnecessary these days, >>>but I keep it around because it doesn't hurt anything. >>>The important bit is the extendedKeyUsage line; I'm pretty sure >>>that an OpenVPN server needs the serverAuth extension. For >>>instance, here is the X509 extensions configuration for a server >>>used by EasyRSA: >>> >>> basicConstraints = CA:FALSE >>> subjectKeyIdentifier = hash >>> authorityKeyIdentifier = keyid,issuer:always >>> extendedKeyUsage = serverAuth,clientAuth >>> keyUsage = digitalSignature,keyEncipherment >>>You can ask openssl to tell you the purpose of a certificate: >>>[bash]$ openssl x509 -noout -purpose -in cert.pem | grep SSL >>>SSL client : Yes >>>SSL client CA : No >>>SSL server : Yes >>>SSL server CA : No >>>Netscape SSL server : Yes >>>Netscape SSL server CA : No >>>Anyway, those are the extensions that should do away with these errors: >>> > Mon Apr 18 05:34:50 2016 VERIFY OK: depth=1, C=US, >>> ST=California, L=San > Francisco, OU=Certificate Authority, O=XXXX, CN=X.X.X >>> > Mon Apr 18 05:34:50 2016 Certificate does not have key usage extension >>>-- >>>Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/ >> >> >>Paul >>Two things... >> >>First, the diagnostic I got referenced the server's CA certificate. >>And that confuses me. > >I'm not sure that's actually what the log is indicating. I think >there's a mismatch between what extensions the server certificate >says it can provide and what the client is expecting. > >Can you provide the SSL/TLS parts of your client configuration? > >In particular, I expect you'll have a "remote-cert-tls server" >directive. I'd suggest commenting that out (or replacing it with >"ns-cert-type server") and trying again. > >If that succeeds, you'll probably need to review your CA configuration. > >--Paul I'm not sure what you mean by the SSL/TLS parts of client configuration. Here's what I have for openvpn Configuration files... comment lines removed The client file at c:\program files\OpenVPN\config\client.opvn ---------------------------- client dev tun remote X.X.X 1194 resolv-retry infinite persist-key persist-tun ca "C:\\Program Files\\OpenVPN\\config\\bla.ca" cert "C:\\Program Files\\OpenVPN\\config\\bla.crt" key "C:\\Program Files\\OpenVPN\\config\\bla.key" remote-cert-tls server comp-lzo verb 3 ---------------------------------------- The Server file at /etc/openvpn/openvpn-server.conf --------------------------------------------- ca /etc/pki/tls/certs/ca-bundle.crt cert /etc/pki/tls/certs/localhost.crt client-to-client dev tun dh /etc/pki/tls/private/dh.pem keepalive 10 120 key /etc/pki/tls/private/localhost.key port 1194 proto tcp-server push "dhcp-option DNS 192.168.155.2" push "redirect-gateway def1 bypass-dhcp" server 192.168.155.16 255.255.255.240 #log openvpn.log verb 4 user nobody group nobody local a.b.c.d --------------------------------------- David