TunnelBlick and High Sierra self signed SSL issues

[Brian]

So after upgrading to High Sierra the other day, all of my SSL VPN's are failing with the following error. They all use a router signed SSL certificate which until the upgrade of my OS worked just fine. I know they changed the SSL backend in the latest update, just not sure how to get it working. 

2017-09-29 22:46:32 VERIFY ERROR: depth=0, error=format error in certificate's notBefore field: C=US, ST=NA, L=NA, O=Home, OU=OU, CN=SophosApplianceCertificate_xxxxx, emailAddress=xxxxx

2017-09-29 22:46:32 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2017-09-29 22:46:32 TLS_ERROR: BIO read tls_read_plaintext error

2017-09-29 22:46:32 TLS Error: TLS object -> incoming plaintext read error

2017-09-29 22:46:32 TLS Error: TLS handshake failed

[Molina-Bulla Harold]

Hi!

Check which version of OpenVPN are you using.

We had that problem and changing from OpenVPN + LibreSSL to OpenVPN + OpenSSL it was solved

I hope it works.

H.

-----------------------------------------------------------------
- "¿Existe el Gran Hermano?" - Winston
- "Claro que existe. El Partido existe. El Gran Hermano es la 
  encarnación del partido." - O'Brien
- "¿Existe en el mismo sentido en que yo existo?" - Winston
- "Tú no existes." - O'Brien 

George Orwell (1984)
-----------------------------------------------------------------
Recuerda: PRISM te está vigilando!!! X)
Y tu no existes!!!
-----------------------------------------------------------------
Harold Molina-Bulla Ph.D.
h.mo...@gmail.org

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.
Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

[Tunnelblick developer]

Tunnelblick/OpenVPN don't use the OS for certificate verification, so High Sierra probably is not the cause problem.

Please follow the instructions at Read Before You Post and post the info it generates.

[laden...@gmail.com]

I have the same issues ever since upgrading to High Sierra.

I now get certificate errors like this:

2017-10-02 19:06:53 VERIFY OK: depth=1, /C=de/L=Dortmund/O=Versatel/CN=Versatel_VPN_CA/emailAddress=ad...@vt-security.de

2017-10-02 19:06:53 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: /C=de/L=Dortmund/O=Versatel/CN=ASG_1/emailAddress=ad...@vt-security.de

2017-10-02 19:06:53 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2017-10-02 19:06:53 TLS_ERROR: BIO read tls_read_plaintext error

2017-10-02 19:06:53 TLS Error: TLS object -> incoming plaintext read error

2017-10-02 19:06:53 TLS Error: TLS handshake failed

2017-10-02 19:06:53 Fatal TLS error (check_tls_errors_co), restarting

This must be related to OS X as it only happens after the upgrade.

Any ideas?

Thanks,

Andreas.

[Tunnelblick developer]

Please follow the instructions at Read Before You Post and post the info it generates.

On Monday, October 2, 2017 at 2:10:30 PM UTC-4, Andreas Goeres wrote:

I have the same issues ever since upgrading to High Sierra.

I now get certificate errors like this:

2017-10-02 19:06:53 VERIFY OK: depth=1, /C=de/L=Dortmund/O=Versatel/CN=Versatel_VPN_CA/emailAddress=admin@vt-security.de

2017-10-02 19:06:53 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: /C=de/L=Dortmund/O=Versatel/CN=ASG_1/emailAddress=admin@vt-security.de

2017-10-02 19:06:53 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2017-10-02 19:06:53 TLS_ERROR: BIO read tls_read_plaintext error

2017-10-02 19:06:53 TLS Error: TLS object -> incoming plaintext read error

2017-10-02 19:06:53 TLS Error: TLS handshake failed

2017-10-02 19:06:53 Fatal TLS error (check_tls_errors_co), restarting

[HoneyBadger]

I've been having this same issue as well, the same config file and TunnelBlick version works fine on 10.11 and 10.12. Please update us if you find a fix!

On Saturday, September 30, 2017 at 7:04:36 AM UTC-4, Brian Hawkins wrote:

[abe...@gmail.com]

Try switching to OpenVPN + OpenSSL in the Tunnelblick connection settings dialog of this connection (instead of OpenVPN + LibreSSL). Works for me, tested on two macOS HighSierra systems, even with macOS High Sierra Supplementary Update as of today.

[alexi...@gmail.com]

Unfortunately, switching over to OpenSSL will be a temporary fix. I've been struggling with this issue for a few weeks now and I finally figured out what's causing the issue. 

https://github.com/openssl/openssl/issues/2620

https://www.ietf.org/rfc/rfc5280.txt

Back in February, OpenSSL on GitHub decided to strictly enforce RFC5280. To quote ekasper:

Now enforcing:
no fractions
no offsets
seconds must be present
Z is required
digits must be 0-9 (but we don't check that the date/time is valid)
For the test certificate we now get
error 13 at 0 depth lookup: format error in certificate's notBefore field
error 22.pem: verification failed

 In my case, I created self-signed certificates with a GeneralizedTime notBefore date. GeneralizedTime is now only valid for dates in 2050 or later. To fix this issue, I need to recreate my certificates with UTCTime.

GeneralizedTime is as follows:

YYYYMMDDHHMMSSZ

UTCTime is as follows:

YYMMDDHHMMSSZ

I believe the May 25, 2017 release of OpenSSL (1.0.2l and 1.1.0f) contain this enforcement. I have not yet checked when LibreSSL enforces this. Hope this helps someone!

[Tunnelblick developer]

Thanks, Alexis.

The current Tunnelblick stable release, 3.7.2a, includes OpenSSL v 1.0.2k and LibreSSL 2.5.0.

The current Tunnelblick beta release, 3.7.3beta03, includes OpenSSL v 1.0.2l and LibreSSL 2.5.5.

So people experiencing this problem could easily test the two versions of OpenSSL pretty easily, and the two versions of LibreSSL, too, if they want. (You can install the beta over the stable or vice versa and keep all your settings.)

Note that sometime in the next few days, new stable and beta releases will both include OpenSSL v 1.0.2l and LibreSSL 2.5.5.

Prior versions of Tunnelblick will continue to be available for download until they are found to include security vulnerabilities.

[doom]

Rolling back tunnelblick version with an openvpn version of 2.4.4 did the job

[Tunnelblick developer]

"doom":

"Solving" the problem (a bad certificate) by downgrading to older software which doesn't check the certificate as carefully isn't a good long term solution. You're stuck using the old software forever, and if/when a security vulnerability is discovered in the old software, you'll be stuck using software with known vulnerabilities. You need to get your VPN service provider to give you certificates that work with modern software.

The following comment by Alexis describes one cause of problems with certificates:

[Fabian Stolz]

Hello,

with the new mac os ventura version we're receiving the same error and we cant fix it with things like changing the openvpn or openssl version.

Any help or recommendations regarding this problem are appreciated.

[Tunnelblick developer]

The "self signed certificate" error message is misleading. It actually means "there is some problem with one of the certificates in the chain".

Usually this error is triggered by an error in the certificate, which earlier versions of OpenSSL or LibreSSL don't notice, but newer versions detect and reject.

[Fabian Stolz]

I did some further troubleshooting and tested the same vpn config on another system, which also runs on Ventura 13.2.1 and it works like a charm. the only difference is that the other Mac is running on a M2 chip. So i'm wondering if that is the problem here. Both systems are running the same Tunnelblick version.