At 08:57 AM 4/19/2016, you wrote: >On Tue, 19 Apr 2016, david wrote: > >> >> >> >>At 09:09 AM 4/18/2016, you wrote: >>>On Mon, 18 Apr 2016, david wrote: >>> > FOLLOWUP & REPORT >>> > > I had lots of suggestions, and the most persuasive was to try >>> OpenVPN. I > already had a CA working, so issuing certificates >>> was easy. The HOW-TO > guides were less helpful than I could >>> hope, but comparing several of > them, applying common sense, and >>> trying things out, I arrived at a > dead-end. Here's essentially what happened: >>> > > - None of the HOW-TOs were very clear about the need to add >>> some > attributes to a certificate, keyUsage and >>> extendedKeyUsage. They had > different values for server and >>> client. OpenSSL documentation was a big > vague on how to add >>> them, but I think I did - the print out of the entity > >>> certificates showed the values. The attempt to connect >>> failed. The > client log is below. I think it's complaining >>> that the CA certificate > doesn't have the ke Usage extension, >>> which makes no sense to me. Such an > extension should be in the >>> end-entity certificate, not the CA's, unless > I'm wrong. I >>> checked the server and really think that the certificates > are >>> in the right place. >>>Here's how I managed that in my openssl.cnf file. Lots of bits >>>ellided for clarity's sake: >>>### start ### >>>[ ca ] >>>default_ca = CA_default >>>[ CA_default ] >>>x509_extensions = server_cert >>>[ server_cert ] >>>basicConstraints=CA:FALSE >>>keyUsage = nonRepudiation, dataEncipherment, digitalSignature, >>>keyEncipherment >>>extendedKeyUsage = serverAuth, clientAuth >>>nsCertType = server, client >>>### end ### >>>I think the nsCertType directive may be unnecessary these days, >>>but I keep it around because it doesn't hurt anything. >>>The important bit is the extendedKeyUsage line; I'm pretty sure >>>that an OpenVPN server needs the serverAuth extension. For >>>instance, here is the X509 extensions configuration for a server >>>used by EasyRSA: >>> >>> basicConstraints = CA:FALSE >>> subjectKeyIdentifier = hash >>> authorityKeyIdentifier = keyid,issuer:always >>> extendedKeyUsage = serverAuth,clientAuth >>> keyUsage = digitalSignature,keyEncipherment >>>You can ask openssl to tell you the purpose of a certificate: >>>[bash]$ openssl x509 -noout -purpose -in cert.pem | grep SSL >>>SSL client : Yes >>>SSL client CA : No >>>SSL server : Yes >>>SSL server CA : No >>>Netscape SSL server : Yes >>>Netscape SSL server CA : No >>>Anyway, those are the extensions that should do away with these errors: >>> > Mon Apr 18 05:34:50 2016 VERIFY OK: depth=1, C=US, >>> ST=California, L=San > Francisco, OU=Certificate Authority, O=XXXX, CN=X.X.X >>> > Mon Apr 18 05:34:50 2016 Certificate does not have key usage extension >>>-- >>>Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/ >> >> >>Paul >>Two things... >> >>First, the diagnostic I got referenced the server's CA certificate. >>And that confuses me. > >I'm not sure that's actually what the log is indicating. I think >there's a mismatch between what extensions the server certificate >says it can provide and what the client is expecting. > >Can you provide the SSL/TLS parts of your client configuration? > >In particular, I expect you'll have a "remote-cert-tls server" >directive. I'd suggest commenting that out (or replacing it with >"ns-cert-type server") and trying again. > >If that succeeds, you'll probably need to review your CA configuration. > >-- Paul I'm not sure what you mean by the SSL/TLS parts of client configuration. Here's what I have for openvpn Configuration files... comment lines removed The client file at c:\program files\OpenVPN\config\client.opvn ---------------------------- client dev tun remote X.X.X 1194 resolv-retry infinite persist-key persist-tun ca "C:\\Program Files\\OpenVPN\\config\\bla.ca" cert "C:\\Program Files\\OpenVPN\\config\\bla.crt" key "C:\\Program Files\\OpenVPN\\config\\bla.key" remote-cert-tls server comp-lzo verb 3 ---------------------------------------- The Server file at /etc/openvpn/openvpn-server.conf --------------------------------------------- ca /etc/pki/tls/certs/ca-bundle.crt cert /etc/pki/tls/certs/localhost.crt client-to-client dev tun dh /etc/pki/tls/private/dh.pem keepalive 10 120 key /etc/pki/tls/private/localhost.key port 1194 proto tcp-server push "dhcp-option DNS 192.168.155.2" push "redirect-gateway def1 bypass-dhcp" server 192.168.155.16 255.255.255.240 #log openvpn.log verb 4 user nobody group nobody local a.b.c.d --------------------------------------- David