证书验证失败 - 打开 VPN

tag-icon tag-icon ssl-certificate openvpn openssl certificate-authority
证书验证失败 - 打开 VPN

建立开放式 vpn 连接时,我遇到错误“TLS_ERROR:BIO 读取 tls_read_plaintext 错误:错误:14090086:SSL 例程:ssl3_get_server_certificate:证书验证失败”

SSL 证书根 CA 是“防火墙网络CA

尝试找出是否有任何选项可以禁用证书验证。

注意:我正尝试通过路由器 (Asus RT-AC55UHP) 的 VPN 客户端连接到 VPN。我能够使用 tunnelblick 在 MacBook 中使用相同的配置建立 VPN 连接

系统日志:

openvpn[10205]: OpenVPN 2.3.2 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Dec  1 2016
openvpn[10205]: Socket Buffers: R=[87380->131072] S=[16384->131072]
openvpn[10211]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
openvpn[10211]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
openvpn[10211]: TCPv4_CLIENT link local: [undef]
openvpn[10211]: TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
openvpn[10211]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:443, sid=84d506xx 088122xx
openvpn[10211]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
openvpn[10211]: VERIFY OK: depth=1, O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN 80XX04868XXX3 2015-11-18 09:19:40 GMT) CA
openvpn[10211]: Validating certificate extended key usage
openvpn[10211]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS
openvpn[10211]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.1, expects TLS
openvpn[10211]: VERIFY EKU ERROR
openvpn[10211]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
openvpn[10211]: TLS Error: TLS object -> incoming plaintext read error
openvpn[10211]: TLS Error: TLS handshake failed
openvpn[10211]: Fatal TLS error (check_tls_errors_co), restarting
openvpn[10211]: SIGUSR1[soft,tls-error] received, process restarting
openvpn[10211]: Restart pause, 5 second(s)

客户端.ovpn:

dev tun
client
proto tcp
<ca>
-----BEGIN CERTIFICATE-----
--Removed--
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
--Removed--
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
--Removed--
-----END PRIVATE KEY-----
</key>
remote-cert-eku "TLS Web Server Authentication"
remote XXX.XXX.XXX.XXX 443
persist-key
persist-tun
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
auth SHA1
float
reneg-sec 3660
nobind
mute-replay-warnings
auth-user-pass
;remember_connection 0
;auto_reconnect 1

相关内容