TLS Error with openvpn3 about openvpn3-linux HOT 14 CLOSED

Try enabling legacy algorithms:

$ openvpn3 config-manage --config CONFIG_NAME --enable-legacy-algorithms true

You need to have pre-imported the configuration file first, though.

$ openvpn3 config-import --persistent --name CONFIG_NAME --config CONFIG_FILE

Then you can start the config using

$ openvpn3 session-start --config CONFIG_NAME

from openvpn3-linux.

Hi,
I enabled it but isn't working :/

My CA algorithm signature is : ecdsa-with-SHA256
I don't understand why I still have this error on my Openvpn Server :

I thank it was a issue from the module I want to use, but when I disable it on my openvpn server and client, isn't working. So the problem is really from openvpn3 client.
I can try to change all my CA to have a 4096 bits RSA signature or maybe update to the latest version of openssl 3 on my ubuntu.

Regards

from openvpn3-linux.

That sounds more like a messed up a CA than anything else.

from openvpn3-linux.

But when I'm trying to use my conf with Openvpn (2.5.6) it's working well :/

from openvpn3-linux.

OpenVPN 3 Linux and the OpenVPN 3 Core Library 3.8 is by default a lot stricter out-of-the-box than OpenVPN 2.x.

from openvpn3-linux.

Can you post a log with --verb 4 from OpenVPN 2.x in that case?

from openvpn3-linux.

Here is it
openvpn.log

from openvpn3-linux.

Please also run another test:

 $ /usr/bin/openvpn2 --config CONFIG_FILE --verb 6

(this cannot use the pre-imported configuration, but will give a similar log output on the connection failure)

from openvpn3-linux.

With the wrapper Openvpn 2.X for OpenVPN isn't working and I have the same problem.

But when I use the package Openvpn package from apt version 2.5.5 it's working well :/

It could be an issue from openvpn3 which is stricter than openvpn 2.5.5 ?

from openvpn3-linux.

@SherZCHR We want to see the full log of openvpn2 until it errors out, to better compare

from openvpn3-linux.

The interesting lines from the OpenVPN 2.x log:
2024-02-01 11:39:42 us=278990 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256

secp256r1 is not the best cipher but it is still accepted in normal security levels of openssl

2024-02-01 11:39:38 us=616397 library versions: OpenSSL 3.1.0 14 Mar 2023, LZO 2.10

@SherZCHR do you have the possilbility to create certificates that you can share that would allow us to reproduce the problem?

from openvpn3-linux.

@dsommers for the log with openvpn2 command I don't have any logs on the client side but for the server side :
serv_ovpn.log

@schwabe I can't have the possilbility to create a certificat for you, I use a smallstep ca fyi

from openvpn3-linux.

Hi,
I try to change my CA, and it's working well when I use Easy-RSA,
I don't know why when I'm trying to use smallstep CA, isn't working, have you an idea of what is the problem and if smallstep is managed ?

Regards,

from openvpn3-linux.

For us to be able to understand why the "smallstep CA" isn't working, we need to see a smallstep created certificate to inspect it.

Since it is working with Easy-RSA, I'm closing this issue and converting it to a Q&A discussion. This is more a support case, not an issue in OpenVPN 3 Linux.

from openvpn3-linux.