openssl verify error 7 at 1 depth lookup:certificate signature failureOpenSSL: certificate signature failure errorOpenVPN: self-signed certificate in chainVPN Certificate Validation Failed (OpenVPN)? CentOS & UbuntuOpenvpn signing certificates with wrong CAMySQL SSL: bad other signature confirmationHAProxy - ssl client ca chain cannot be verifiedOpenVPN ssl VERIFY ERROR: depth=0, error=certificate signature failure in TI am335x-evm platformSSL certificate working in chrome but not openssl s_client or curlOpenSSL/HAProxy verify client certificates using a non-CA certificateStrongswan with letsencrypt certificates (IKEv2-EAP)
Set outline first and fill colors later
Was this scene in S8E06 added because of fan reactions to S8E04?
Why Emacs (dired+) asks me twice to delete file?
Are runways booked by airlines to land their planes?
Can attacking players use activated abilities after blockers have been declared?
Who wrote “A writer only begins a book. A reader finishes it.”
Why did other houses not demand this?
resolution bandwidth
Why is unzipped directory exactly 4.0K (much smaller than zipped file)?
One word for 'the thing that attracts me'?
What is the use case for non-breathable waterproof pants?
Can diplomats be allowed on the flight deck of a commercial European airline?
Why do testers need root cause analysis?
Goldfish unresponsive, what should I do?
Paired t-test means that the variances of the 2 samples are the same?
Possibility of faking someone's public key
What is to the west of Westeros?
Storing voxels for a voxel Engine in C++
Are there historical examples of audiences drawn to a work that was "so bad it's good"?
Are there any German nonsense poems (Jabberwocky)?
How to deceive the MC
Why do the i8080 I/O instructions take a byte-sized operand to determine the port?
EU rights when flight delayed so much that return is missed
Is keeping the forking link on a true fork necessary (Github/GPL)?
openssl verify error 7 at 1 depth lookup:certificate signature failure
OpenSSL: certificate signature failure errorOpenVPN: self-signed certificate in chainVPN Certificate Validation Failed (OpenVPN)? CentOS & UbuntuOpenvpn signing certificates with wrong CAMySQL SSL: bad other signature confirmationHAProxy - ssl client ca chain cannot be verifiedOpenVPN ssl VERIFY ERROR: depth=0, error=certificate signature failure in TI am335x-evm platformSSL certificate working in chrome but not openssl s_client or curlOpenSSL/HAProxy verify client certificates using a non-CA certificateStrongswan with letsencrypt certificates (IKEv2-EAP)
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have installed OpenVPN server on CentOS. I have two clients - first under CentOS (all works), and trying connect Windows client now.
I generated client's certificates with build-key utility.
If I check it on server's side - all seems to be OK:
# openssl verify -CAfile /etc/openvpn/clients/setevoy/ca.crt /etc/openvpn/clients/setevoy/setevoy.crt
/etc/openvpn/clients/setevoy/setevoy.crt: OK
But - when I check same certificates under Windows - got error:
$ openssl verify -CAfile ca.crt setevoy.crt
setevoy.crt: /C=UA/ST=CA/L=Kiev/O=Fort-Funston/OU=MyOrganizationalUnit/CN=venti.setevoy.org.ua/name=openvpn_root/emailAddress=root@setevoy.org.ua
error 7 at 1 depth lookup:certificate signature failure
Files seems to be identical on server (from where I copied them) and on Windows client (where they are placed in c/Program Files (x86)/OpenVPN/config:
# md5sum /etc/openvpn/clients/setevoy/ca.crt
53984cf44daffb708cdb937fa3d30438 /etc/openvpn/clients/setevoy/ca.crt
$ md5sum ca.crt
53984cf44daffb708cdb937fa3d30438 *ca.crt
# md5sum /etc/openvpn/clients/setevoy/setevoy.crt
c818d312e58db514a9a2afae4c687241 /etc/openvpn/clients/setevoy/setevoy.crt
$ md5sum setevoy.crt
c818d312e58db514a9a2afae4c687241 *setevoy.crt
I assume, something wrong with Windows OpenSSL mechanism... Or something similar issue:
$ head setevoy.crt | grep Signature
Signature Algorithm: sha256WithRSAEncryption
Then, when I try start OpenVNP GUI - got error:
Wed Dec 17 11:44:25 2014 TLS_ERROR: BIO read tls_read_plaintext error:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed Wed Dec 17 11:44:25 2014 TLS Error: TLS object ->
incoming plaintext read error Wed Dec 17 11:44:25 2014 TLS Error: TLS
handshake failed
UPD
On server:
# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
and on Windows client:
$ openssl.exe version
OpenSSL 0.9.7l 28 Sep 2006
UPD 2
I upgraded OpenSSL for OpenVPN GUI, now it's 1.0.1, and verify works:
$ ../bin/openssl.exe version
OpenSSL 1.0.1j 15 Oct 2014
$ ../bin/openssl.exe verify -CAfile ca.crt setevoy.crt
setevoy.crt: OK
But - I still can't connect, with same error in log.
I also installed new CentOS server, just for testing, and OpenVPN client there - all works. Problem with Windows client only.
windows vpn ssl-certificate openssl
asked Dec 17 '14 at 10:11
setevoysetevoy
1941213
add a comment |
I have installed OpenVPN server on CentOS. I have two clients - first under CentOS (all works), and trying connect Windows client now.
I generated client's certificates with build-key utility.
If I check it on server's side - all seems to be OK:
# openssl verify -CAfile /etc/openvpn/clients/setevoy/ca.crt /etc/openvpn/clients/setevoy/setevoy.crt
/etc/openvpn/clients/setevoy/setevoy.crt: OK
But - when I check same certificates under Windows - got error:
$ openssl verify -CAfile ca.crt setevoy.crt
setevoy.crt: /C=UA/ST=CA/L=Kiev/O=Fort-Funston/OU=MyOrganizationalUnit/CN=venti.setevoy.org.ua/name=openvpn_root/emailAddress=root@setevoy.org.ua
error 7 at 1 depth lookup:certificate signature failure
Files seems to be identical on server (from where I copied them) and on Windows client (where they are placed in c/Program Files (x86)/OpenVPN/config:
# md5sum /etc/openvpn/clients/setevoy/ca.crt
53984cf44daffb708cdb937fa3d30438 /etc/openvpn/clients/setevoy/ca.crt
$ md5sum ca.crt
53984cf44daffb708cdb937fa3d30438 *ca.crt
# md5sum /etc/openvpn/clients/setevoy/setevoy.crt
c818d312e58db514a9a2afae4c687241 /etc/openvpn/clients/setevoy/setevoy.crt
$ md5sum setevoy.crt
c818d312e58db514a9a2afae4c687241 *setevoy.crt
I assume, something wrong with Windows OpenSSL mechanism... Or something similar issue:
$ head setevoy.crt | grep Signature
Signature Algorithm: sha256WithRSAEncryption
Then, when I try start OpenVNP GUI - got error:
Wed Dec 17 11:44:25 2014 TLS_ERROR: BIO read tls_read_plaintext error:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed Wed Dec 17 11:44:25 2014 TLS Error: TLS object ->
incoming plaintext read error Wed Dec 17 11:44:25 2014 TLS Error: TLS
handshake failed
UPD
On server:
# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
and on Windows client:
$ openssl.exe version
OpenSSL 0.9.7l 28 Sep 2006
UPD 2
I upgraded OpenSSL for OpenVPN GUI, now it's 1.0.1, and verify works:
$ ../bin/openssl.exe version
OpenSSL 1.0.1j 15 Oct 2014
$ ../bin/openssl.exe verify -CAfile ca.crt setevoy.crt
setevoy.crt: OK
But - I still can't connect, with same error in log.
I also installed new CentOS server, just for testing, and OpenVPN client there - all works. Problem with Windows client only.
windows vpn ssl-certificate openssl
asked Dec 17 '14 at 10:11
setevoysetevoy
1941213
add a comment |
I have installed OpenVPN server on CentOS. I have two clients - first under CentOS (all works), and trying connect Windows client now.
I generated client's certificates with build-key utility.
If I check it on server's side - all seems to be OK:
# openssl verify -CAfile /etc/openvpn/clients/setevoy/ca.crt /etc/openvpn/clients/setevoy/setevoy.crt
/etc/openvpn/clients/setevoy/setevoy.crt: OK
But - when I check same certificates under Windows - got error:
$ openssl verify -CAfile ca.crt setevoy.crt
setevoy.crt: /C=UA/ST=CA/L=Kiev/O=Fort-Funston/OU=MyOrganizationalUnit/CN=venti.setevoy.org.ua/name=openvpn_root/emailAddress=root@setevoy.org.ua
error 7 at 1 depth lookup:certificate signature failure
Files seems to be identical on server (from where I copied them) and on Windows client (where they are placed in c/Program Files (x86)/OpenVPN/config:
# md5sum /etc/openvpn/clients/setevoy/ca.crt
53984cf44daffb708cdb937fa3d30438 /etc/openvpn/clients/setevoy/ca.crt
$ md5sum ca.crt
53984cf44daffb708cdb937fa3d30438 *ca.crt
# md5sum /etc/openvpn/clients/setevoy/setevoy.crt
c818d312e58db514a9a2afae4c687241 /etc/openvpn/clients/setevoy/setevoy.crt
$ md5sum setevoy.crt
c818d312e58db514a9a2afae4c687241 *setevoy.crt
I assume, something wrong with Windows OpenSSL mechanism... Or something similar issue:
$ head setevoy.crt | grep Signature
Signature Algorithm: sha256WithRSAEncryption
Then, when I try start OpenVNP GUI - got error:
Wed Dec 17 11:44:25 2014 TLS_ERROR: BIO read tls_read_plaintext error:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed Wed Dec 17 11:44:25 2014 TLS Error: TLS object ->
incoming plaintext read error Wed Dec 17 11:44:25 2014 TLS Error: TLS
handshake failed
UPD
On server:
# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
and on Windows client:
$ openssl.exe version
OpenSSL 0.9.7l 28 Sep 2006
UPD 2
I upgraded OpenSSL for OpenVPN GUI, now it's 1.0.1, and verify works:
$ ../bin/openssl.exe version
OpenSSL 1.0.1j 15 Oct 2014
$ ../bin/openssl.exe verify -CAfile ca.crt setevoy.crt
setevoy.crt: OK
But - I still can't connect, with same error in log.
I also installed new CentOS server, just for testing, and OpenVPN client there - all works. Problem with Windows client only.
windows vpn ssl-certificate openssl
asked Dec 17 '14 at 10:11
setevoysetevoy
1941213
I have installed OpenVPN server on CentOS. I have two clients - first under CentOS (all works), and trying connect Windows client now.
I generated client's certificates with build-key utility.
If I check it on server's side - all seems to be OK:
# openssl verify -CAfile /etc/openvpn/clients/setevoy/ca.crt /etc/openvpn/clients/setevoy/setevoy.crt
/etc/openvpn/clients/setevoy/setevoy.crt: OK
But - when I check same certificates under Windows - got error:
$ openssl verify -CAfile ca.crt setevoy.crt
setevoy.crt: /C=UA/ST=CA/L=Kiev/O=Fort-Funston/OU=MyOrganizationalUnit/CN=venti.setevoy.org.ua/name=openvpn_root/emailAddress=root@setevoy.org.ua
error 7 at 1 depth lookup:certificate signature failure
Files seems to be identical on server (from where I copied them) and on Windows client (where they are placed in c/Program Files (x86)/OpenVPN/config:
# md5sum /etc/openvpn/clients/setevoy/ca.crt
53984cf44daffb708cdb937fa3d30438 /etc/openvpn/clients/setevoy/ca.crt
$ md5sum ca.crt
53984cf44daffb708cdb937fa3d30438 *ca.crt
# md5sum /etc/openvpn/clients/setevoy/setevoy.crt
c818d312e58db514a9a2afae4c687241 /etc/openvpn/clients/setevoy/setevoy.crt
$ md5sum setevoy.crt
c818d312e58db514a9a2afae4c687241 *setevoy.crt
I assume, something wrong with Windows OpenSSL mechanism... Or something similar issue:
$ head setevoy.crt | grep Signature
Signature Algorithm: sha256WithRSAEncryption
Then, when I try start OpenVNP GUI - got error:
Wed Dec 17 11:44:25 2014 TLS_ERROR: BIO read tls_read_plaintext error:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed Wed Dec 17 11:44:25 2014 TLS Error: TLS object ->
incoming plaintext read error Wed Dec 17 11:44:25 2014 TLS Error: TLS
handshake failed
UPD
On server:
# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
and on Windows client:
$ openssl.exe version
OpenSSL 0.9.7l 28 Sep 2006
UPD 2
I upgraded OpenSSL for OpenVPN GUI, now it's 1.0.1, and verify works:
$ ../bin/openssl.exe version
OpenSSL 1.0.1j 15 Oct 2014
$ ../bin/openssl.exe verify -CAfile ca.crt setevoy.crt
setevoy.crt: OK
But - I still can't connect, with same error in log.
I also installed new CentOS server, just for testing, and OpenVPN client there - all works. Problem with Windows client only.
windows vpn ssl-certificate openssl
windows vpn ssl-certificate openssl
asked Dec 17 '14 at 10:11
setevoysetevoy
1941213
asked Dec 17 '14 at 10:11
setevoysetevoy
1941213
edited Dec 17 '14 at 14:22
setevoy
asked Dec 17 '14 at 10:11
setevoysetevoy
1941213
asked Dec 17 '14 at 10:11
setevoysetevoy
1941213
asked Dec 17 '14 at 10:11
setevoysetevoy
1941213
1941213
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
OpenSSL 0.9.7 is WAY old and does not support SHA256, and therefore cannot verify your server's cert. You must either upgrade the client OpenSSL to at least 0.9.8 (which isn't binary compatible thus probably requires recompiling, or obtaining a different compilation of, OpenVPN), OR change to a server cert signed with SHA1-RSA.
"SHA1 is bad": Browsers and CAs on the public web, who drive most SSL/TLS usage, are forcefully phasing out SHA1-signed certs because they are expected to soon come in reach of collision attacks. But VPNs are (usually) a controlled situation where you run the CA and there are only a modest number of clients and you know them in advance; then you don't need to worry about collision attack and SHA1 is adequately secure -- as long as you aren't subject to some regulation or policy that just forbids SHA1 to be on the safe side and you can't get a waiver.
How? I don't know where OpenVPN/easy-rsa sets the parameters OpenSSL uses for certsigning (it could be in a CONF file or on the commandline and either way could use an envvar); marked community so anyone can easily help. If no one does and you point to specific version or download I can take a look.
PS- it might help if you tag openvpn specifically instead of vpn.
Please, take a look at UPD 2 in my post :-)
– setevoy
Dec 17 '14 at 14:23
add a comment |
Problem was caused by Windows OpenSSL, which can't work with sha256 algorithm.
Solution, I found - edit config file /etc/openvpn/easy-rsa/openssl-1.0.0.cnf(or other, depending on OpenSSL version on your server), and set:
default_md = md5
instead of
default_md = sha245
Then - re-generate all you server and client's certificates and keys (including Hoffman key).
After this - OpenVPN GUI almost works...
answered Dec 17 '14 at 18:48
setevoysetevoy
1941213
1
As I said it's not Windows as such, it's the old version 0.9.7 which you happened to have on Windows. I don't understand why upgrading the Windows version, your Update 2, worked only partly. But if you prefer to downgrade the hash and that works, fine. PS: There is no "Hoffman" key; you probably mean Diffie-Hellman parameters which are not actually a key but are usually configured in an SSL/TLS server along with a (RSA, DSA, or ECDSA) key and cert.
– dave_thompson_085
Dec 19 '14 at 4:42
I have upgraded OpenSSL on Win, in OpenVPN/bin up to 1.0.1; regarding Diffie-Hellman - yep, you right, I just wrote it "quickly" :-)
– setevoy
Dec 19 '14 at 10:07
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f653144%2fopenssl-verify-error-7-at-1-depth-lookupcertificate-signature-failure%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
OpenSSL 0.9.7 is WAY old and does not support SHA256, and therefore cannot verify your server's cert. You must either upgrade the client OpenSSL to at least 0.9.8 (which isn't binary compatible thus probably requires recompiling, or obtaining a different compilation of, OpenVPN), OR change to a server cert signed with SHA1-RSA.
"SHA1 is bad": Browsers and CAs on the public web, who drive most SSL/TLS usage, are forcefully phasing out SHA1-signed certs because they are expected to soon come in reach of collision attacks. But VPNs are (usually) a controlled situation where you run the CA and there are only a modest number of clients and you know them in advance; then you don't need to worry about collision attack and SHA1 is adequately secure -- as long as you aren't subject to some regulation or policy that just forbids SHA1 to be on the safe side and you can't get a waiver.
How? I don't know where OpenVPN/easy-rsa sets the parameters OpenSSL uses for certsigning (it could be in a CONF file or on the commandline and either way could use an envvar); marked community so anyone can easily help. If no one does and you point to specific version or download I can take a look.
PS- it might help if you tag openvpn specifically instead of vpn.
Please, take a look at UPD 2 in my post :-)
– setevoy
Dec 17 '14 at 14:23
add a comment |
OpenSSL 0.9.7 is WAY old and does not support SHA256, and therefore cannot verify your server's cert. You must either upgrade the client OpenSSL to at least 0.9.8 (which isn't binary compatible thus probably requires recompiling, or obtaining a different compilation of, OpenVPN), OR change to a server cert signed with SHA1-RSA.
"SHA1 is bad": Browsers and CAs on the public web, who drive most SSL/TLS usage, are forcefully phasing out SHA1-signed certs because they are expected to soon come in reach of collision attacks. But VPNs are (usually) a controlled situation where you run the CA and there are only a modest number of clients and you know them in advance; then you don't need to worry about collision attack and SHA1 is adequately secure -- as long as you aren't subject to some regulation or policy that just forbids SHA1 to be on the safe side and you can't get a waiver.
How? I don't know where OpenVPN/easy-rsa sets the parameters OpenSSL uses for certsigning (it could be in a CONF file or on the commandline and either way could use an envvar); marked community so anyone can easily help. If no one does and you point to specific version or download I can take a look.
PS- it might help if you tag openvpn specifically instead of vpn.
Please, take a look at UPD 2 in my post :-)
– setevoy
Dec 17 '14 at 14:23
add a comment |
OpenSSL 0.9.7 is WAY old and does not support SHA256, and therefore cannot verify your server's cert. You must either upgrade the client OpenSSL to at least 0.9.8 (which isn't binary compatible thus probably requires recompiling, or obtaining a different compilation of, OpenVPN), OR change to a server cert signed with SHA1-RSA.
"SHA1 is bad": Browsers and CAs on the public web, who drive most SSL/TLS usage, are forcefully phasing out SHA1-signed certs because they are expected to soon come in reach of collision attacks. But VPNs are (usually) a controlled situation where you run the CA and there are only a modest number of clients and you know them in advance; then you don't need to worry about collision attack and SHA1 is adequately secure -- as long as you aren't subject to some regulation or policy that just forbids SHA1 to be on the safe side and you can't get a waiver.
How? I don't know where OpenVPN/easy-rsa sets the parameters OpenSSL uses for certsigning (it could be in a CONF file or on the commandline and either way could use an envvar); marked community so anyone can easily help. If no one does and you point to specific version or download I can take a look.
PS- it might help if you tag openvpn specifically instead of vpn.
OpenSSL 0.9.7 is WAY old and does not support SHA256, and therefore cannot verify your server's cert. You must either upgrade the client OpenSSL to at least 0.9.8 (which isn't binary compatible thus probably requires recompiling, or obtaining a different compilation of, OpenVPN), OR change to a server cert signed with SHA1-RSA.
"SHA1 is bad": Browsers and CAs on the public web, who drive most SSL/TLS usage, are forcefully phasing out SHA1-signed certs because they are expected to soon come in reach of collision attacks. But VPNs are (usually) a controlled situation where you run the CA and there are only a modest number of clients and you know them in advance; then you don't need to worry about collision attack and SHA1 is adequately secure -- as long as you aren't subject to some regulation or policy that just forbids SHA1 to be on the safe side and you can't get a waiver.
How? I don't know where OpenVPN/easy-rsa sets the parameters OpenSSL uses for certsigning (it could be in a CONF file or on the commandline and either way could use an envvar); marked community so anyone can easily help. If no one does and you point to specific version or download I can take a look.
PS- it might help if you tag openvpn specifically instead of vpn.
answered Dec 17 '14 at 14:15
community wiki
dave_thompson_085
Please, take a look at UPD 2 in my post :-)
– setevoy
Dec 17 '14 at 14:23
add a comment |
Please, take a look at UPD 2 in my post :-)
– setevoy
Dec 17 '14 at 14:23
Please, take a look at UPD 2 in my post :-)
– setevoy
Dec 17 '14 at 14:23
Please, take a look at UPD 2 in my post :-)
– setevoy
Dec 17 '14 at 14:23
add a comment |
Problem was caused by Windows OpenSSL, which can't work with sha256 algorithm.
Solution, I found - edit config file /etc/openvpn/easy-rsa/openssl-1.0.0.cnf(or other, depending on OpenSSL version on your server), and set:
default_md = md5
instead of
default_md = sha245
Then - re-generate all you server and client's certificates and keys (including Hoffman key).
After this - OpenVPN GUI almost works...
answered Dec 17 '14 at 18:48
setevoysetevoy
1941213
1
As I said it's not Windows as such, it's the old version 0.9.7 which you happened to have on Windows. I don't understand why upgrading the Windows version, your Update 2, worked only partly. But if you prefer to downgrade the hash and that works, fine. PS: There is no "Hoffman" key; you probably mean Diffie-Hellman parameters which are not actually a key but are usually configured in an SSL/TLS server along with a (RSA, DSA, or ECDSA) key and cert.
– dave_thompson_085
Dec 19 '14 at 4:42
I have upgraded OpenSSL on Win, in OpenVPN/bin up to 1.0.1; regarding Diffie-Hellman - yep, you right, I just wrote it "quickly" :-)
– setevoy
Dec 19 '14 at 10:07
add a comment |
Problem was caused by Windows OpenSSL, which can't work with sha256 algorithm.
Solution, I found - edit config file /etc/openvpn/easy-rsa/openssl-1.0.0.cnf(or other, depending on OpenSSL version on your server), and set:
default_md = md5
instead of
default_md = sha245
Then - re-generate all you server and client's certificates and keys (including Hoffman key).
After this - OpenVPN GUI almost works...
answered Dec 17 '14 at 18:48
setevoysetevoy
1941213
1
As I said it's not Windows as such, it's the old version 0.9.7 which you happened to have on Windows. I don't understand why upgrading the Windows version, your Update 2, worked only partly. But if you prefer to downgrade the hash and that works, fine. PS: There is no "Hoffman" key; you probably mean Diffie-Hellman parameters which are not actually a key but are usually configured in an SSL/TLS server along with a (RSA, DSA, or ECDSA) key and cert.
– dave_thompson_085
Dec 19 '14 at 4:42
I have upgraded OpenSSL on Win, in OpenVPN/bin up to 1.0.1; regarding Diffie-Hellman - yep, you right, I just wrote it "quickly" :-)
– setevoy
Dec 19 '14 at 10:07
add a comment |
Problem was caused by Windows OpenSSL, which can't work with sha256 algorithm.
Solution, I found - edit config file /etc/openvpn/easy-rsa/openssl-1.0.0.cnf(or other, depending on OpenSSL version on your server), and set:
default_md = md5
instead of
default_md = sha245
Then - re-generate all you server and client's certificates and keys (including Hoffman key).
After this - OpenVPN GUI almost works...
answered Dec 17 '14 at 18:48
setevoysetevoy
1941213
Problem was caused by Windows OpenSSL, which can't work with sha256 algorithm.
Solution, I found - edit config file /etc/openvpn/easy-rsa/openssl-1.0.0.cnf(or other, depending on OpenSSL version on your server), and set:
default_md = md5
instead of
default_md = sha245
Then - re-generate all you server and client's certificates and keys (including Hoffman key).
After this - OpenVPN GUI almost works...
answered Dec 17 '14 at 18:48
setevoysetevoy
1941213
answered Dec 17 '14 at 18:48
setevoysetevoy
1941213
answered Dec 17 '14 at 18:48
setevoysetevoy
1941213
answered Dec 17 '14 at 18:48
setevoysetevoy
1941213
1941213
1
As I said it's not Windows as such, it's the old version 0.9.7 which you happened to have on Windows. I don't understand why upgrading the Windows version, your Update 2, worked only partly. But if you prefer to downgrade the hash and that works, fine. PS: There is no "Hoffman" key; you probably mean Diffie-Hellman parameters which are not actually a key but are usually configured in an SSL/TLS server along with a (RSA, DSA, or ECDSA) key and cert.
– dave_thompson_085
Dec 19 '14 at 4:42
I have upgraded OpenSSL on Win, in OpenVPN/bin up to 1.0.1; regarding Diffie-Hellman - yep, you right, I just wrote it "quickly" :-)
– setevoy
Dec 19 '14 at 10:07
add a comment |
1
As I said it's not Windows as such, it's the old version 0.9.7 which you happened to have on Windows. I don't understand why upgrading the Windows version, your Update 2, worked only partly. But if you prefer to downgrade the hash and that works, fine. PS: There is no "Hoffman" key; you probably mean Diffie-Hellman parameters which are not actually a key but are usually configured in an SSL/TLS server along with a (RSA, DSA, or ECDSA) key and cert.
– dave_thompson_085
Dec 19 '14 at 4:42
I have upgraded OpenSSL on Win, in OpenVPN/bin up to 1.0.1; regarding Diffie-Hellman - yep, you right, I just wrote it "quickly" :-)
– setevoy
Dec 19 '14 at 10:07
1
1
As I said it's not Windows as such, it's the old version 0.9.7 which you happened to have on Windows. I don't understand why upgrading the Windows version, your Update 2, worked only partly. But if you prefer to downgrade the hash and that works, fine. PS: There is no "Hoffman" key; you probably mean Diffie-Hellman parameters which are not actually a key but are usually configured in an SSL/TLS server along with a (RSA, DSA, or ECDSA) key and cert.
– dave_thompson_085
Dec 19 '14 at 4:42
As I said it's not Windows as such, it's the old version 0.9.7 which you happened to have on Windows. I don't understand why upgrading the Windows version, your Update 2, worked only partly. But if you prefer to downgrade the hash and that works, fine. PS: There is no "Hoffman" key; you probably mean Diffie-Hellman parameters which are not actually a key but are usually configured in an SSL/TLS server along with a (RSA, DSA, or ECDSA) key and cert.
– dave_thompson_085
Dec 19 '14 at 4:42
I have upgraded OpenSSL on Win, in OpenVPN/bin up to 1.0.1; regarding Diffie-Hellman - yep, you right, I just wrote it "quickly" :-)
– setevoy
Dec 19 '14 at 10:07
I have upgraded OpenSSL on Win, in OpenVPN/bin up to 1.0.1; regarding Diffie-Hellman - yep, you right, I just wrote it "quickly" :-)
– setevoy
Dec 19 '14 at 10:07
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f653144%2fopenssl-verify-error-7-at-1-depth-lookupcertificate-signature-failure%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
