can't connect with Sierra 12.13.2

[Jared Wechsler]

I can connect from all my ios devices just fine, but can not from my MacBook. I tried Viscosity too and get the same errors. Not sure what MacOS is looking for that is different than my iphone or ipad. If Anyone can help it would be greatly appreciated as this same config and certs/keys works on my iphone and ipad.

auth-nocache
auth SHA1
auth-user-pass
ca cert_export_CA.crt
cert cert_export_MacBook.crt
cipher AES-256-CBC
client
dev tun
key cert_export_MacBook.key
mute-replay-warnings
nobind
persist-key
persist-tun
ping 15
ping-restart 45
ping-timer-rem
proto tcp
pull
redirect-gateway def1
remote-cert-tls server
remote storage-addict.io 51194
resolve-retry infinite
route 10.10.0.0 255.255.255.0 172.21.0.1
tls-client
verb 4

2017-03-18 13:33:44 MANAGEMENT: CMD 'username "Auth" "j_r0dd"'

2017-03-18 13:33:44 MANAGEMENT: CMD 'password [...]'

2017-03-18 13:33:44 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2017-03-18 13:33:44 Socket Buffers: R=[131072->131072] S=[131072->131072]

2017-03-18 13:33:44 MANAGEMENT: >STATE:1489858424,RESOLVE,,,

2017-03-18 13:33:45 Attempting to establish TCP connection with [AF_INET]47.203.55.123:51194 [nonblock]

2017-03-18 13:33:45 MANAGEMENT: >STATE:1489858425,TCP_CONNECT,,,

2017-03-18 13:33:46 TCP connection established with [AF_INET]47.203.55.123:51194

2017-03-18 13:33:46 TCPv4_CLIENT link local: [undef]

2017-03-18 13:33:46 TCPv4_CLIENT link remote: [AF_INET]47.203.55.123:51194

2017-03-18 13:33:46 MANAGEMENT: >STATE:1489858426,WAIT,,,

2017-03-18 13:33:46 MANAGEMENT: >STATE:1489858426,AUTH,,,

2017-03-18 13:33:46 TLS: Initial packet from [AF_INET]47.203.55.123:51194, sid=e996b4cd 854a218f

2017-03-18 13:33:46 VERIFY OK: depth=1, C=US, ST=FL, O=Storage-Addict, OU=IT, CN=CA

2017-03-18 13:33:46 VERIFY ERROR: could not extract CN from X509 subject string ('C=US, ST=FL, O=Storage-Addict, OU=IT') -- note that the username length is limited to 64 characters

2017-03-18 13:33:46 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2017-03-18 13:33:46 TLS_ERROR: BIO read tls_read_plaintext error

2017-03-18 13:33:46 TLS Error: TLS object -> incoming plaintext read error

2017-03-18 13:33:46 TLS Error: TLS handshake failed

2017-03-18 13:33:46 Fatal TLS error (check_tls_errors_co), restarting

2017-03-18 13:33:46 SIGUSR1[soft,tls-error] received, process restarting

2017-03-18 13:33:46 MANAGEMENT: >STATE:1489858426,RECONNECTING,tls-error,,

2017-03-18 13:33:46 MANAGEMENT: CMD 'hold release'

2017-03-18 13:33:46 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2017-03-18 13:33:46 Socket Buffers: R=[131072->131072] S=[131072->131072]

2017-03-18 13:33:46 MANAGEMENT: >STATE:1489858426,RESOLVE,,,

2017-03-18 13:33:46 Attempting to establish TCP connection with [AF_INET]47.203.55.123:51194 [nonblock]

2017-03-18 13:33:46 MANAGEMENT: >STATE:1489858426,TCP_CONNECT,,,

2017-03-18 13:33:47 TCP connection established with [AF_INET]47.203.55.123:51194

2017-03-18 13:33:47 TCPv4_CLIENT link local: [undef]

2017-03-18 13:33:47 TCPv4_CLIENT link remote: [AF_INET]47.203.55.123:51194

2017-03-18 13:33:47 MANAGEMENT: >STATE:1489858427,WAIT,,,

2017-03-18 13:33:47 MANAGEMENT: >STATE:1489858427,AUTH,,,

2017-03-18 13:33:47 TLS: Initial packet from [AF_INET]47.203.55.123:51194, sid=d7920203 c2cf4eb3

2017-03-18 13:33:49 *Tunnelblick: Disconnecting; user cancelled authorization

2017-03-18 13:33:50 *Tunnelblick: No 'pre-disconnect.sh' script to execute

2017-03-18 13:33:50 *Tunnelblick: Disconnecting using 'kill'

2017-03-18 13:33:50 MANAGEMENT: Client disconnected

2017-03-18 13:33:50 ERROR: could not read Auth username/password/ok/string from management interface

[Tunnelblick developer]

There seems to be a problem with one of the certificates:

2017-03-18 13:33:46 VERIFY ERROR: could not extract CN from X509 subject string ('C=US, ST=FL, O=Storage-Addict, OU=IT') -- note that the username length is limited to 64 characters

Usually there is a "CN=xxxxx" field in a certificate but yours doesn't have one; perhaps that's why you're getting this error.

[Jared Wechsler]

It’s odd that it works just fine on my other I-devices except the MacBook.

--
You received this message because you are subscribed to a topic in the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tunnelblick-discuss/3m5llv8fRxs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tunnelblick-dis...@googlegroups.com.
Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

[Tunnelblick developer]

Tunnelblick (and Viscosity, I believe) indirectly uses OpenSSL or LibreSSL to check certificates. iOS applications uses mBed SSL, or perhaps iOS's built-in software. OpenSSL is apparently pickier about validating certificates.

OpenVPN (which is included in Tunnelblick) is the software that actually does the checking, not Tunnelblick. Recent changes to OpenVPN which have not been released (but will be tomorrow, I think) make certificate validation more robust, which may make some setups no longer work. (That's one reason that Tunnelblick usually includes multiple versions of OpenVPN.

You could try to connect after setting Tunnelblick to use LibreSSL instead of OpenSSL, to see if LibreSSL is more lenient. You can do that in Tunnelblick's "OpenVPN version" setting.

[Jared Wechsler]

I tried all the libreSSL options. I'll try to recreate the certificates when I get some extra time. I've just been using ssh reverse proxies on my MacBook to do what I need to when remote. The new EasyRSA rewrite isn't all that easy so I generated the certs on my Mikrotik router and exported them. 

--Jared

--

[Tunnelblick developer]

Maybe the Mikrotek router makes invalid certificates that are nonetheless accepted by some SSL libraries.

You can use the (old) easy-rsa built into Tunnelblick (or the new one, also built in, in the "Easy-RSA3" subfolder) to generate keys & certificates. If you click the "Open easy-rsa in Terminal" button in the Tunnelblick Utilities panel, it launches Terminal in a folder with Easy-RSA 2 as the current directory. Then follow the instructions at https://openvpn.net/index.php/open-source/documentation/howto.html#pki

On Sunday, March 19, 2017 at 1:12:51 PM UTC-4, Jared Wechsler wrote:

I tried all the libreSSL options. I'll try to recreate the certificates when I get some extra time. I've just been using ssh reverse proxies on my MacBook to do what I need to when remote. The new EasyRSA rewrite isn't all that easy so I generated the certs on my Mikrotik router and exported them. 

--Jared

[Jared Wechsler]

I'll report back when I generate through easyrsa 2. That's what I used for my VPS and works fine. I'm not sure what OpenSSL libraries mikrotik uses. Or the firmware I was on could have generated these bad certs. Thanks. 

--Jared

--

[Jared Wechsler]

Recreating the certs worked for my MacBook, but now my iPad and iPhone are throwing errors with PolarSSL...oh well the MacBook is more important for connecting to home. This is solved. 

--Jared

[Tunnelblick developer]

It sounds like this is a PolarSSL (now mBed SSL) vs. OpenSSL/LibreSSL compatibility issue.

You might be able to get some help from OpenVPN experts:

• OpenVPN FAQ
• OpenVPN HOWTO
• OpenVPN 2.3 Man Page
• OpenVPN Documentation
• OpenVPN Users Forum
• OpenVPN Users Mailing List

On Sunday, March 19, 2017 at 9:38:01 PM UTC-4, Jared Wechsler wrote:

Recreating the certs worked for my MacBook, but now my iPad and iPhone are throwing errors with PolarSSL...oh well the MacBook is more important for connecting to home. This is solved. 

--Jared

On Mar 19, 2017, at 11:29 AM, Jared Wechsler <> wrote:

I'll report back when I generate through easyrsa 2. That's what I used for my VPS and works fine. I'm not sure what OpenSSL libraries mikrotik uses. Or the firmware I was on could have generated these bad certs. Thanks. 

--Jared

[Jared Wechsler]

I’ll dig around. Thanks for the help!