No connection after update

Got a problem with Viscosity or need help? Ask here!

robbacki

Posts: 2
Joined: Sun Sep 15, 2019 3:37 am

Post by robbacki » Sun Sep 15, 2019 3:44 am
Hello everybody.
I just had a perfect Connection with Version 1.7.9 some minutes ago.
5 minutes later, after updating to Version 1.8, viscosity fails to connect while authenticating.

No changes on server-side, only update of viscosity.
Please give me a hint, what to do. Thanks so much.

Log:
2019-09-14 19:40:04: Viscosity Mac 1.8 (1505)
2019-09-14 19:40:04: Viscosity OpenVPN Engine Started
2019-09-14 19:40:04: Running on macOS 10.14.6
2019-09-14 19:40:04: ---------
2019-09-14 19:40:04: State changed to verbinde
2019-09-14 19:40:04: Checking reachability status of connection...
2019-09-14 19:40:04: Connection is reachable. Starting connection attempt.
2019-09-14 19:40:04: OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 11 2019
2019-09-14 19:40:04: library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.10
2019-09-14 19:40:04: Valid endpoint found: 217.7.152.141:44443:tcp-client
2019-09-14 19:40:04: TCP/UDP: Preserving recently used remote address: [AF_INET]217.7.152.141:44443
2019-09-14 19:40:04: Attempting to establish TCP connection with [AF_INET]217.7.152.141:44443 [nonblock]
2019-09-14 19:40:05: TCP connection established with [AF_INET]217.7.152.141:44443
2019-09-14 19:40:05: TCP_CLIENT link local: (not bound)
2019-09-14 19:40:05: TCP_CLIENT link remote: [AF_INET]217.7.152.141:44443
2019-09-14 19:40:05: State changed to authentifiziere
2019-09-14 19:40:05: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-09-14 19:40:05: VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=de, L=Landshut, O=VHS Landshut, CN=vhslafw, [email protected]
2019-09-14 19:40:05: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2019-09-14 19:40:05: TLS_ERROR: BIO read tls_read_plaintext error
2019-09-14 19:40:05: TLS Error: TLS object -> incoming plaintext read error
2019-09-14 19:40:05: TLS Error: TLS handshake failed
2019-09-14 19:40:05: Fatal TLS error (check_tls_errors_co), restarting
2019-09-14 19:40:05: State changed to getrennt
2019-09-14 19:40:10: Viscosity Mac 1.8 (1505)
2019-09-14 19:40:10: Viscosity OpenVPN Engine Started
2019-09-14 19:40:10: Running on macOS 10.14.6
2019-09-14 19:40:10: ---------
2019-09-14 19:40:10: State changed to verbinde
2019-09-14 19:40:10: Checking reachability status of connection...
2019-09-14 19:40:10: Connection is reachable. Starting connection attempt.
2019-09-14 19:40:10: OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 11 2019
2019-09-14 19:40:10: library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.10
2019-09-14 19:40:11: Valid endpoint found: 217.7.152.141:44443:tcp-client
2019-09-14 19:40:11: TCP/UDP: Preserving recently used remote address: [AF_INET]217.7.152.141:44443
2019-09-14 19:40:11: Attempting to establish TCP connection with [AF_INET]217.7.152.141:44443 [nonblock]
2019-09-14 19:40:12: TCP connection established with [AF_INET]217.7.152.141:44443
2019-09-14 19:40:12: TCP_CLIENT link local: (not bound)
2019-09-14 19:40:12: TCP_CLIENT link remote: [AF_INET]217.7.152.141:44443
2019-09-14 19:40:12: State changed to authentifiziere
2019-09-14 19:40:12: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-09-14 19:40:12: VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=de, L=Landshut, O=VHS Landshut, CN=vhslafw, [email protected]
2019-09-14 19:40:12: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2019-09-14 19:40:12: TLS_ERROR: BIO read tls_read_plaintext error
2019-09-14 19:40:12: TLS Error: TLS object -> incoming plaintext read error
2019-09-14 19:40:12: TLS Error: TLS handshake failed
2019-09-14 19:40:12: Fatal TLS error (check_tls_errors_co), restarting
2019-09-14 19:40:12: SIGTERM[soft,tls-error] received, process exiting
2019-09-14 19:40:12: State changed to getrennt

James

User avatar
Posts: 1923
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sun Sep 15, 2019 1:00 pm
Hi robbacki,

Thanks for posting your log. The important line is:
Code: Select all
VERIFY ERROR: depth=0, error=format error in certificate's notAfter field
This is indicating that the format of the expiry date (the notAfter field) embedded in the server's certificate is invalid. Old versions of OpenSSL inadvertently let dates that did not meet the specification through, and this was fixed in an OpenSSL update (I believe this was included in the 1.7.12 release of Viscosity, so all versions since then will reject your server's certificate).

As for how the certificate was generated with a bad date, the most common reason that we saw was that certificates generated using the macOS Keychain used to generate certificates with an invalid date (they were missing timezone information). However it's possible one or more other tools may have as well.

To fix the issue you'll need to re-generate your server's certificate and private key. If you're not sure how to do that, we have some information at:
https://www.sparklabs.com/support/kb/article/creating-certificates-and-keys-for-your-openvpn-server/

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

robbacki

Posts: 2
Joined: Sun Sep 15, 2019 3:37 am

Post by robbacki » Sun Sep 15, 2019 3:37 pm
Thank you for your help, but I had no susccess solving the problem.
And again, from one Minute to the other with only updating from 1.7.9 to 1.8 the problem occurs.
A server-problem is impossible.
I can remember, that the same problem occurs with a earlier update some month ago and the solution was a simple command in mac terminal - but, unfortunately, I can not remeber this…

And I did not found the solution searching the net.
Do you have any idea?

James

User avatar
Posts: 1923
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sun Sep 15, 2019 4:06 pm
It's definitely a problem with the OpenVPN server's certificate.

All OpenVPN clients released after the OpenSSL update (November 2018) will reject the server's certificate, not just Viscosity.

Here's a post from 2018 with some more information at:
https://www.sparklabs.com/forum/viewtopic.php?f=3&t=2620&p=7907#p7907

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
4 posts Page 1 of 1