2

OpenVPN fails at this error

Thu Jun 13 10:27:52 2019 us=490780 ###.###.###.###:52064 Incoming Ciphertext -> TLS
Thu Jun 13 10:27:52 2019 us=491055 ###.###.###.###:52064 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=client
Thu Jun 13 10:27:52 2019 us=491111 ###.###.###.###:52064 SSL alert (write): fatal: unsupported certificate

(more of the log on https://pastebin.com/qjY83e7G )

Server config

#server
port 443
proto tcp
dev tap0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/issued/server.crt
key /etc/openvpn/private/server.key
dh /etc/openvpn/dh.pem
server 10.98.0.0 255.255.0.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
tls-server
tls-auth /etc/openvpn/ta.key 0
cipher AES-256-CBC
comp-lzo
#user nobody
#group nobody
persist-key
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 9
explicit-exit-notify 0
auth sha512
remote-cert-tls client
duplicate-cn

Client config

client
dev tap0
proto tcp
remote ########
resolv-retry infinite
#nobind
comp-lzo
persist-key
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 9

key-direction 1
cipher AES-256-CBC
auth sha512
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
dh /etc/openvpn/dh.pem
tls-client
tls-auth /etc/openvpn/ta.key 1
remote-cert-tls server

#script-security 2
#up /zpi/onVpnUp.sh

Googling the error led me to this EasyRSA vars setting

# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature.  If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no".  When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.

#set_var EASYRSA_NS_SUPPORT     "no"

But reading the comment, it should be set 'yes' only when using ns-cert-type (which I don't have in my config), not when using remote-cert-tls (which I do)

Where am I wrong?

edit: Tried recalculating certificate files with EASYRSA_NS_SUPPORT and I am still getting this error.

David162795
  • 123
  • 1
  • 5

2 Answers2

2

OpenVPN checks the content of certificates following the values of remote-cert-tls which should be server on clients and client on the server (this is correct on your configuration). Please don't use ns-cert-type as it is deprecated since OpenVPN v2.4/v2.3.18, so there's no need to enable EASYRSA_NS_SUPPORT.

Therefore, client certificates should have "X509v3 Extended Key Usage" set to "TLS Web Client Authentication" and the server should have the same parameter set to "TLS Web Server Authentication". As per the resource below:

https://openvpn.net/community-resources/important-note-on-possible-man-in-the-middle-attack-if-clients-do-not-verify-the-certificate-of-the-server-they-are-connecting-to/

Please check your certificates using:

openssl x509 -in server.crt -noout -text

and

openssl x509 -in client.crt -noout -text

respectively for server and client.

One of my client certificates includes the following in the output, which would have been accepted by the server if it had remote-cert-tls set to client (as you have):

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature

The output should have the "X509v3 Extended Key Usage" parameter correctly set, to whatever the server and clients are expecting.

Under EasyRSA 3, what controls this parameter is the use of build-client-full or build-server-full command line depending on whether you want to generate the server side certificate or client certificates.

Pedro
  • 3,911
  • 11
  • 25
1

I just had the same issue and wanted to share my 'solution'.
I was stupid enough to have ./easyrsa sign-req server client01; which produced the same error:

TLS: Initial packet from [AF_INET]***:***, sid=*** *** VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=.., ST=.., ... OpenSSL: error:***:SSL routines:ssl3_get_client_certificate:certificate verify failed

Setting it to ./easyrsa sign-req client client01; resolved the issue...

stupid anon
  • 11
  • 2
  • Welcome on the Security SE! Your solution might work, but I believe it would look much better to explain also, what it does and how. – peterh May 07 '20 at 13:44
  • @peterh-ReinstateMonica Thanks. I just started working with OpenVPN (or any VPN) this week. So other than for apparent reasons, I have no idea how and why this works, but it did the trick for me so I wanted to share it. – stupid anon May 08 '20 at 09:58