It is currently 23.10.2017 18:45


All times are UTC




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Openvpn on pfsense treats valid certificates as REVOKED
PostPosted: 22.09.2009 00:40 
DES
DES

Joined: 22.09.2009 00:36
Posts: 2
Hi all, I have a problem with crl.
all ssl stuff was imported from linux server which has to be replaced by pfsense.
Certificates are up to date, and working without crl check.
But when I try to implement this useful feature - I get next error:

TLS: Initial packet from 60.234.20.25:49021, sid=5342fd0e 65634748
CRL CHECK FAILED: /C=NZ/ST=Area/L=City/O=My_Conpany/CN=OpenVPN_CA/emailAddress=support@mycompany.com is REVOKED
TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, client-instance restarting
TCP/UDP: Closing socket

Could anybody point me on what I'm doing wrong here?
Many thanks in advance


# openvpn --version
OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov 9 2008
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>

# openssl crl -in crl.pem -text -noout
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: /C=NZ/ST=Area/L=City/O=My Conpany/CN=OpenVPN CA/emailAddress=support@mycompany.com
Last Update: Sep 21 02:59:33 2009 GMT
Next Update: Oct 21 02:59:33 2009 GMT
Revoked Certificates:
Serial Number: 00
Revocation Date: Jul 9 03:42:27 2009 GMT
Serial Number: 01
Revocation Date: Jul 9 03:45:03 2009 GMT
Serial Number: 02
Revocation Date: Jul 9 03:44:20 2009 GMT
Serial Number: 03
Revocation Date: Jul 9 03:46:00 2009 GMT
Serial Number: 05
Revocation Date: Jul 16 05:13:08 2009 GMT
Serial Number: 06
Revocation Date: Jul 16 04:36:29 2009 GMT
Signature Algorithm: md5WithRSAEncryption
be:a7:5e:9d:7e:61:eb:f1:14:34:9e:29:89:ab:ed:ac:50:5e:
....

(test certificete has Serial Number 07 - not in crl at all)


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Openvpn on pfsense treats valid certificates as REVOKED
PostPosted: 23.09.2009 00:07 
DES
DES

Joined: 22.09.2009 00:36
Posts: 2
solved
found that ca.crt serial number was (historically) 00 - the same as SN of previously revoked client certificate

(just have rebuilt all crt stuff with native easyrsa4pfsense for pfsense)


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net