Hi all,

I have my own CA tree, with the relevant part being:

root CA {1}
\- VPN CA {2}
\- server CA {3}
|- server certificate {4}
\- client certificate {5}

I put 1 & 2 into /etc/ssl/certs/ of the server and 3 into
/etc/openvpn/default/default-ca.pem . The server does, of course, use
its server certificate & privkey.

The client has a single CA file with 1, 2 & 3's certificates
concatenated. It also has its own client certificate & privkey.

Verifying the trust chain with openssl verify -verbose -CAfile foo works
for all five certificates with foo holding 1, 2 & 3.


Yet, when I want to connect to the server, OpenVPN dies with:

Tue Mar 25 15:04:53 2008 us=886000 Incoming Ciphertext -> TLS
Tue Mar 25 15:04:53 2008 us=886000 VERIFY OK: depth=3, /CN=root_CA
Tue Mar 25 15:04:53 2008 us=886000 VERIFY ERROR: depth=2,
error=certificate signature failure: /CN=VPN_CA
Tue Mar 25 15:04:53 2008 us=886000 SSL alert (write): fatal: decrypt error
Tue Mar 25 15:04:53 2008 us=886000 TLS_ERROR: BIO read
tls_read_plaintext error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Mar 25 15:04:53 2008 us=886000 TLS Error: TLS object -> incoming
plaintext read error
Tue Mar 25 15:04:53 2008 us=886000 TLS Error: TLS handshake failed

(The name strings for 1 & 2 being shortened to root_CA & VPN_CA respectively)


man verify tells me:

7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure
the signature of the certificate is invalid.

which does not make sense, seeing as the path verifies OK when doing the
same thing manually and even using the very same file for the
verification that the OpenVPN client is using.


So, if anyone has any idea or an educated guess about the cause or hints
to get better debug output, please tell me.


Thanks in advance
Richard
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org