Openssl-wolfssl

Hello!

I'm moving to the recent release of openwrt 22.03.0-rc4 and found that openvpn does not work!

2022-06-23 16:43:45 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-06-23 16:43:45 OpenVPN 2.5.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2022-06-23 16:43:45 library versions: wolfSSL 5.3.0
2022-06-23 16:43:45 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2022-06-23 16:43:46 TCP/UDP: Preserving recently used remote address: [AF_INET]185.133.208.223:19000
2022-06-23 16:43:46 UDPv4 link local: (not bound)
2022-06-23 16:43:46 UDPv4 link remote: [AF_INET]XXXXXX:19000
2022-06-23 16:43:46 VERIFY ERROR: depth=1, could not extract X509 subject string from certificate
2022-06-23 16:43:46 OpenSSL: verify problem on certificate
2022-06-23 16:43:46 OpenSSL: verify problem on certificate
2022-06-23 16:43:46 OpenSSL: verify problem on certificate
2022-06-23 16:43:46 TLS_ERROR: BIO read tls_read_plaintext error
2022-06-23 16:43:46 TLS Error: TLS object -> incoming plaintext read error
2022-06-23 16:43:46 TLS Error: TLS handshake failed
2022-06-23 16:43:46 SIGUSR1[soft,tls-error] received, process restarting
2022-06-23 16:43:51 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2022-06-23 16:43:51 TCP/UDP: Preserving recently used remote address: [AF_INET]185.133.208.223:19000
2022-06-23 16:43:51 UDPv4 link local: (not bound)
2022-06-23 16:43:51 UDPv4 link remote: [AF_INET]XXXXX:19000
2022-06-23 16:43:51 VERIFY ERROR: depth=1, could not extract X509 subject string from certificate
2022-06-23 16:43:51 OpenSSL: verify problem on certificate
2022-06-23 16:43:51 OpenSSL: verify problem on certificate
2022-06-23 16:43:51 OpenSSL: verify problem on certificate
2022-06-23 16:43:51 TLS_ERROR: BIO read tls_read_plaintext error
2022-06-23 16:43:51 TLS Error: TLS object -> incoming plaintext read error
2022-06-23 16:43:51 TLS Error: TLS handshake failed
2022-06-23 16:43:51 SIGUSR1[soft,tls-error] received, process restarting

client certificate looks just fine:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 175 (0xaf)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IT, ST=MI, L=Milano, O=6project IPv6 Tunnel Broker, OU=M&M Networks, CN=6project IPv6 Tunnel Broker/name=6project/emailAddress=xxxxxx.org
        Validity
            Not Before: Mar 22 08:24:23 2022 GMT
            Not After : Mar 19 08:24:23 2032 GMT
        Subject: C=IT, ST=MI, L=Milano, O=6project IPv6 Tunnel Broker, OU=M&M Networks, CN=xxxxxxx/name=6project/emailAddress=XXXX.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:XXXXXXX
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                XXXX:6E
            X509v3 Authority Key Identifier: 
                keyid:XXXX:F3
                DirName:/C=IT/ST=MI/L=Milano/O=6project IPv6 Tunnel Broker/OU=M&M Networks/CN=6project IPv6 Tunnel Broker/name=6project/emailAddress=XXXX.org
                serial:XXXX:17

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Alternative Name: 
                DNS:kuznetsov
    Signature Algorithm: sha256WithRSAEncryption
         bb:XXXXX:fe:
-----BEGIN CERTIFICATE-----

Did you correct any of the warnings it displayed?

2 Likes

Yes you're using an old config file with some deprecated options. Newer OpenVPN versions don't have much backward compatibility, this is intentional to stop use of insecure old methods.

I think that certificate depth=1 means the CA, not the server or client certificate.

2 Likes

Yes I did. No changes:

2022-06-23 18:46:09 OpenVPN 2.5.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2022-06-23 18:46:09 library versions: wolfSSL 5.3.0
2022-06-23 18:46:09 TCP/UDP: Preserving recently used remote address: [AF_INET]185.133.208.223:19000
2022-06-23 18:46:09 UDPv4 link local: (not bound)
2022-06-23 18:46:09 UDPv4 link remote: [AF_INET]185.133.208.223:19000
2022-06-23 18:46:09 VERIFY ERROR: depth=1, could not extract X509 subject string from certificate
2022-06-23 18:46:09 OpenSSL: verify problem on certificate
2022-06-23 18:46:09 OpenSSL: verify problem on certificate
2022-06-23 18:46:09 OpenSSL: verify problem on certificate
2022-06-23 18:46:09 TLS_ERROR: BIO read tls_read_plaintext error

Are you sure?

(I'm unsure why users see words "error" and "problem" in the description of the log message, plus the exact problem...but say they fixed it. :man_shrugging: )

It seems your cert has an issue, clear as day.

1 Like

Thank you for pointing me out. I'll try to figure out what wrong with cert. Yet it works fine with openwrt 21.03 and openvpn-openssl...

1 Like