GET_SERVER_CERTIFICATE error after macOS High Sierra upgrade
1,031 views
Skip to first unread message
Jim Cienkus
Oct 16, 2017, 4:53:50 PM10/16/17
to tunnelblick-discuss
Tunnelblick VPN to Sophos Firewall was working great prior to High Sierra upgrade.
Can anyone help with this error:
2017-10-16 15:42:46 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: /C=us/L=<REMOVED>/O=<REMOVED>/CN=<REMOVED>/emailAddress=<REMOVED>
2017-10-16 15:42:46 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2017-10-16 15:42:46 TLS_ERROR: BIO read tls_read_plaintext error
2017-10-16 15:42:46 TLS Error: TLS object -> incoming plaintext read error
2017-10-16 15:42:46 TLS Error: TLS handshake failed
Tunnelblick developer
Oct 16, 2017, 4:58:04 PM10/16/17
to tunnelblick-discuss
Jim Cienkus
Oct 16, 2017, 5:37:21 PM10/16/17
to tunnelblick-discuss
I tried that, now I get this error:
Options error: Unrecognized option or missing or extra parameter(s) in /Library/Application Support/Tunnelblick/Users/<REMOVED>/<REMOVED>.tblk/Contents/Resources/config.ovpn:6: tls-remote (2.4.4)
Any suggestions?
Tunnelblick developer
Oct 16, 2017, 5:44:44 PM10/16/17
to tunnelblick-discuss
That option, tls-remote, was deprecated long ago and is not available in OpenVPN 2.4.4. It should still work in OpenVPN 2.3.18. So try that.
Jim Cienkus
Oct 23, 2017, 4:41:41 PM10/23/17
to tunnelblick-discuss
I am new to Tunnelblick and the OpenVPN config. Can you provide me instructions on how to update the config as you suggest?
Tunnelblick developer
Oct 24, 2017, 6:24:28 AM10/24/17
to tunnelblick-discuss
To change the version of OpenVPN/OpenSSL that Tunnelblick uses for a configuration:
- Launch Tunnelblick
- Click on the Tunnelblick icon in the menu bar
- Click on "VPN Details..."
- In the window that appears, click on the large "Configurations" button near the top of the window
- On the left side, click to select the configuration(s) that you wish to make the change for. (You can select more than one at a time using macOS standard "Command-Click" and "Shift-Click".)
- On the right side, click the "Settings" tab
- In the settings tab, click on the button to the right of "OpenVPN version"
- Select the top-most entry, "Default (2.3.18 - OpenSSL v1.0.2l)"
That tells Tunnelblick to use OpenVPN version 2.3.18 with OpenSSL version 1.0.2i.
And please tell Sophos that they should update their setup to work with modern versions of OpenVPN.
Sven
Nov 14, 2017, 6:54:38 AM11/14/17
to tunnelblick-discuss
Hello,
if I switch to OpenSSL i get the following error message:
Options error: Unrecognized option or missing or extra parameter(s) in /Library/Application Support/Tunnelblick/Users/*******/*******@[ip address].tblk/Contents/Resources/config.ovpn:5: tls-remote (2.4.4)
Tunnelblick developer
Nov 14, 2017, 7:07:58 AM11/14/17
to tunnelblick-discuss
That shouldn't happen when you switch to OpenSSL, but it *should* happen (for your configuration) when you switch to OpenVPN 2.4.4.
That's because the error message is saying that there is a "tls-remote" option in your configuration file (on the fifth line) and that OpenVPN version 2.4.4 does not support that option. That option was removed from Tunnelblick 2.4 after being deprecated for a long time.
You should contact whoever supplied your configuration files and have them update them for modern versions of OpenVPN. At some time in the future older versions of OpenVPN will be removed from Tunnelblick, and you will be unable to use such old configurations.
You should contact whoever supplied your configuration files and have them update them for modern versions of OpenVPN. At some time in the future older versions of OpenVPN will be removed from Tunnelblick, and you will be unable to use such old configurations.
nom...@gmail.com
Jan 11, 2018, 5:15:08 PM1/11/18
to tunnelblick-discuss
Worked perfectly, thanks!
Reply all
Reply to author
Forward
0 new messages