5 May 2012 09:57
Re: ns-cert-type not working?
Alon Bar-Lev <alon.barlev <at> gmail.com>
2012-05-05 07:57:01 GMT
2012-05-05 07:57:01 GMT
Hello, These days people should use EKU and not the non-standard netscape extensions. Try to use the related parameters. Alon. On Sat, May 5, 2012 at 10:48 AM, Andre Ruiz <andre.ruiz <at> gmail.com> wrote: > Hello list! > > I'm having a hard time with ns-cert-type, it seems not to be working > as expected. > > I understand that it is a security enhancement to check for types of > certificates of clients and servers, but if I want, could I use > "server"-type certificates on both sides? I would think it's just a > matter of not checking it or even specifying to expect type server on > both sides. > > But it's not working. OpenVPN 2.2.1 and 2.2.2, both sides as > type=Server on the certificates, both sides without ns-cert-type check > (or with ns-cert-type server, it makes no difference), the error is > always the same: > > May 5 04:38:10 vpbjz4 openvpn[6646]: 177.16.213.147:57137 VERIFY > ERROR: depth=0, error=unsupported certificate purpose: > /C=BR/O=Atendemos_Tecnologia_Ltda/OU=IT_Operations/CN=druid.vpn.atendemos > May 5 04:38:10 vpbjz4 openvpn[6646]: 177.16.213.147:57137 TLS_ERROR: > BIO read tls_read_plaintext error: error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > May 5 04:38:10 vpbjz4 openvpn[6646]: 177.16.213.147:57137 TLS Error: > TLS object -> incoming plaintext read error > May 5 04:38:10 vpbjz4 openvpn[6646]: 177.16.213.147:57137 TLS Error: > TLS handshake failed > > All the places I read suggest that the error "unsupported certificate > purpose" is because the server is expecting the type "client" on the > client, and that I should fix the certificate. > > But I have a situation where the same openvpn will act as server to > one endpoint and client to another, using the same certs, so there is > one of the tunnels where I will have two "server" types connecting to > eachother. I do not mind turning that check off (and I know that I > could use two different certificates to work around that, but I would > like to know the reason as I think it should work). > > Thanks! > Andre > > -- > Andre Ruiz <andre.ruiz <at> gmail.com> > Curitiba, PR, Brasil > Tel +55 (41) 8407-3847 > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Openvpn-users mailing list > Openvpn-users <at> lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Openvpn-users mailing list Openvpn-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
RSS Feed