Skip to content
This repository has been archived by the owner on Sep 29, 2024. It is now read-only.

Client certificate may fail for unclear reasons #91

Closed
keeshux opened this issue Apr 27, 2019 · 4 comments
Closed

Client certificate may fail for unclear reasons #91

keeshux opened this issue Apr 27, 2019 · 4 comments
Assignees
@keeshux
Labels
bug Something isn't working
Milestone
1.7.0

Comments

@keeshux
Copy link
Member

keeshux commented Apr 27, 2019
edited
Loading

Some users are experiencing TunnelKitError 205 with client certificate authentication. Not sure if it's related to encrypted private keys. Need to debug OpenSSL response in more detail.
@keeshux keeshux mentioned this issue Apr 27, 2019
Closed
@keeshux keeshux self-assigned this Apr 27, 2019
@keeshux keeshux added the bug Something isn't working label Apr 27, 2019
@keeshux keeshux added this to the 1.6.4 milestone Apr 27, 2019
@keeshux keeshux changed the title Client certificate may fail for unclear reasons (205) Client certificate may fail for unclear reasons Apr 27, 2019
@keeshux
Copy link
Member Author

keeshux commented Apr 27, 2019

a48bcc7 might fix this partially.

@keeshux
Copy link
Member Author

keeshux commented Apr 27, 2019

@roals mind re-testing password-protected .ovpn in Passepartout 1.6.0 Beta 1803?

Using the password-protected ovpn profile results in a TLS error in 1.5.0 as well as 1.6.0 (1779). I created a new ovpn profile without a password and I no longer get a TLS error in 1.5.0/1.6.0 (1779).

@keeshux keeshux modified the milestones: 1.6.4, 1.6.3 Apr 27, 2019
@roals
Copy link

roals commented Apr 27, 2019

@keeshux I had to re-add the profile, but successful connection and no TLS error!

App: Passepartout 1.6.0 (1803)
OS: iOS 12.1.1
Device: iPhone

07:28:37 - Starting tunnel...
07:28:37 - App version: Passepartout 1.6.0 (1803)
07:28:37 - 	Protocols: [UDP:1194]
07:28:37 - 	Cipher: AES-256-GCM
07:28:37 - 	Digest: HMAC-SHA1
07:28:37 - 	Compression framing: disabled
07:28:37 - 	Compression algorithm: disabled
07:28:37 - 	Client verification: enabled
07:28:37 - 	TLS wrapping: crypt
07:28:37 - 	Keep-alive: never
07:28:37 - 	Renegotiation: never
07:28:37 - 	Server EKU verification: disabled
07:28:37 - 	Default gateway: no
07:28:37 - 	DNS: default
07:28:37 - 	MTU: 1250
07:28:37 - 	Debug: true
07:28:37 - 	Masks private data: true
07:28:37 - Current SSID: none (disconnected from WiFi)
07:28:37 - Creating link session
07:28:37 - DNS resolve hostname: #310347224060b108#
07:28:37 - DNS resolved addresses: ["#310347224060b108#"]
07:28:37 - Will connect to #310347224060b108#:1194
07:28:37 - Socket type is NEUDPSocket
07:28:37 - Socket state is preparing (endpoint: #05671e86f2e22fa5# -> in progress)
07:28:37 - Socket state is ready (endpoint: #2ff923fbdf78cf26# -> #0add81ffbc5f4a0b#)
07:28:37 - Starting VPN session
07:28:37 - Send hard reset
07:28:37 - Negotiation key index is 0
07:28:37 - Control: Enqueued 1 packet [0]
07:28:37 - Control: Write control packet {HARD_RESET_CLIENT_V2 | 0, sid: 9052f3d6cbe99d0b, pid: 0, [0 bytes]}
07:28:37 - Send control packet (54 bytes): 389052f3d6cbe99d0b000000015cc46715127a580c619584cf53ddc4e7f6fecc05c6f19f943e4e5b7823aeae3ef90e8d2162bfde41cd
07:28:37 - Control: Try read packet with code HARD_RESET_SERVER_V2 and key 0
07:28:37 - Control: Read packet {HARD_RESET_SERVER_V2 | 0, sid: 51f5657ce50c23e3, acks: {[0], 9052f3d6cbe99d0b}, pid: 0}
07:28:37 - Send ack for received packetId 0
07:28:37 - Control: Write ack packet {ACK_V1 | 0, sid: 9052f3d6cbe99d0b, acks: {[0], 51f5657ce50c23e3}}
07:28:37 - Control: Remote sessionId is 51f5657ce50c23e3
07:28:37 - Start TLS handshake
07:28:37 - TLS.connect: Pulled ciphertext (176 bytes)
07:28:37 - Control: Enqueued 1 packet [1]
07:28:37 - Control: Write control packet {CONTROL_V1 | 0, sid: 9052f3d6cbe99d0b, pid: 1, [176 bytes]}
07:28:37 - Send control packet (230 bytes): 209052f3d6cbe99d0b000000035cc467159e6b72830457c5675d454ae73b48a286839ad3e3ccb95da8da0aa7e366b95dff8c86a5846c330887ba9ba65846876c69b3d3210ef4fa457a41683f2d83be49f308439fb08951580bffde59790542f5f91fd4d080c3f688b037c8713b204c546cdbf5d77c100c01b1e2f9d87ecffb9625046f8d35cfbddd5d2b168470d62bdb25eb7d598c36af0043dad7485cdb2d7c0817e775edc73c3887835e54dd6935b6f068ea4f4cc9da72fc298a674e725d9b594ccadf93ef45b22c841623321cf02055df01cc44baa010f0d41b37eb8ec33526158ce14066
07:28:37 - Ack successfully written to LINK for packetId 0
07:28:37 - Control: Try read packet with code CONTROL_V1 and key 0
07:28:37 - Control: Read packet {CONTROL_V1 | 0, sid: 51f5657ce50c23e3, acks: {[1], 9052f3d6cbe99d0b}, pid: 1, [1062 bytes]}
07:28:37 - Send ack for received packetId 1
07:28:37 - Control: Write ack packet {ACK_V1 | 0, sid: 9052f3d6cbe99d0b, acks: {[1], 51f5657ce50c23e3}}
07:28:37 - TLS.connect: Put received ciphertext (1062 bytes)
07:28:37 - Control: Try read packet with code CONTROL_V1 and key 0
07:28:37 - Control: Read packet {CONTROL_V1 | 0, sid: 51f5657ce50c23e3, pid: 2, [160 bytes]}
07:28:37 - Send ack for received packetId 2
07:28:37 - Control: Write ack packet {ACK_V1 | 0, sid: 9052f3d6cbe99d0b, acks: {[2], 51f5657ce50c23e3}}
07:28:37 - TLS.connect: Put received ciphertext (160 bytes)
07:28:37 - TLS.connect: Send pulled ciphertext (1091 bytes)
07:28:37 - Control: Enqueued 1 packet [2]
07:28:37 - Control: Write control packet {CONTROL_V1 | 0, sid: 9052f3d6cbe99d0b, pid: 2, [1091 bytes]}
07:28:37 - Send control packet (1145 bytes): 209052f3d6cbe99d0b000000065cc46715e867ccffa5797890849168e39790064cc1f5900c93aec8b50bc38fd5060890efbabc41a44858aacb90b77acf798cfc2fa7b52c0ee144144eb6f16a09d337c039ece92bdc5522f96f39d1d4f8e3de86a2c0f1d6b5ee19f24640ed04475aae4c79041e874e5e2b4873e367982ec84d77a89b7953c5e66f123f45916a9ee9e7587654aad897cedbbadef07c685903f9efa65809a38ba87ecffbd2ed38baf34e4fd4f98bc11a583b41e5736a12c09b7731e80198286f9571d28150a78c7ff41e1e39dae426aa80997052936eeb11022cf20d8c0490d9819ff99e16727278d6580847cc739d0133431744ddd19b0cb104843aaa4a1119ada3057b0667118d1f3f32b5a2dbd67611f92b190228f2fbd123707ab0d6e75a4543869d88a7adc6c60568b37495cd95a1bcc8291aa7526c65a471240495c00943087b4e31591894640fe0c272e32b1d26d0ec5e29f9c9def3b2f85c949e6a2b97a5996f8654cf7fb4757e007fa3dba84c643d6022a5ac4d16ba2394195d1ce5fc2c16e028daebc35a1f9132a495ce429c6d8cc9de9017b78be36cc1e7cfed8ff467482a4212f2b8b45ff7ebf4fefd8412ef0d0586906baa1f4b6a17142e4239260866705b837d1e5b8d1b17131fc600b28dfed4f886d4b9e724f63fb9393b62db59c4cab31439b3e1debe2a4372cf11d12e9dc36e86a73f12f470d321a7a864d70fcdfbb152238a339a23dc32093a6e6ab009e596eeeb20f76f39121a0c546c3f722382ee81609dc2a50c2fdee41f797e1f4fec87f3f4d0bd2f6bfbe9dbd12aec90a6545bbd1f576fb6c33e5b058c1fdf0bdde159add0e7704cdd049bfe43b24d976d2c9b9819a52f8135e04734e5139c4d3c6b8b127a413fb114459c074e59534d3dfd3ec8ca4d740fc1657dec0478d1af554dae5bc8db00682448aa1cb32c82a111cdb47b4a8c5df588241185b041888dce8e2065126d99047f088672ae015c01cace9455d59fe8a3d94bc8126b93ebd874e197d2a114ca210e3c4242242aeaee5b277210df398cdbb364763463d1f7dfca2de46821b4377e46e7a51c0fc13c21aeb2c27794b19da163447f7320674349b6b73f16ac441b95a8ae796d11ba8873321b2cd5a3b6a0035280e33f6483ba16c5387c724289e51ffe265e283823d1881862e90665b13fde028f1ab7dbbc7c37fc5fdcd20972dd9dfba05fdc98bfbe5fe56580aa91f30fad0c53d86469033a801d630fee63c0d92688bb7584b83b43578af8b057a01800a39ed5ad5e996ed7df51c930bc9b55773ef9d8246ca42b207cf39cc5ed2688e8aef3b7a52fb440168659464c604627d900a744268977477321468d70b7baa3b2e69ae176996497b374f74a494c6097d5cf01a425d052b8738e78dbd1ddf470437608eecc06cbf281c36aed39cecb3ab0d33af2065f86026181c7b454ce1fdac52a705af25c41464a2f840f4cc7da98eed76d0f56ccd420b7f35b3616113cab0fdbf7ee2934e58015af32b91c06b659fec44ce10a323212ca3cf13180437fed6dcbe3d4a4ad5929e6b6a37fd472b621bf92614bd7ae77bdf3aadbbd9ec3105d947aa7194277adc304c83ede
07:28:37 - Ack successfully written to LINK for packetId 1
07:28:37 - Ack successfully written to LINK for packetId 2
07:28:37 - Control: Skip writing packet with packetId 2 (sent on 2019-04-27 14:28:37 +0000, 0.019590020179748535 seconds ago)
07:28:37 - Control: Try read packet with code CONTROL_V1 and key 0
07:28:37 - Control: Read packet {CONTROL_V1 | 0, sid: 51f5657ce50c23e3, acks: {[2], 9052f3d6cbe99d0b}, pid: 3, [51 bytes]}
07:28:37 - Send ack for received packetId 3
07:28:38 - Control: Write ack packet {ACK_V1 | 0, sid: 9052f3d6cbe99d0b, acks: {[3], 51f5657ce50c23e3}}
07:28:38 - TLS.connect: Put received ciphertext (51 bytes)
07:28:38 - TLS.connect: Handshake is complete
07:28:38 - TLS.auth: Local options: V4,dev-type tun,cipher AES-256-GCM,auth SHA1,keysize 256,key-method 2,tls-client,keydir 1
07:28:38 - TLS.auth: Put plaintext (361 bytes)
07:28:38 - TLS.auth: Pulled ciphertext (390 bytes)
07:28:38 - Control: Enqueued 1 packet [3]
07:28:38 - Control: Write control packet {CONTROL_V1 | 0, sid: 9052f3d6cbe99d0b, pid: 3, [390 bytes]}
07:28:38 - Send control packet (444 bytes): 209052f3d6cbe99d0b000000085cc467158ab2c00dac052951206f77b4098daebed81f8cf36f3f8ee172ecef502345b410364936689fa4f0447db047b41758f0cd20672b8fdf4648cd32427e350a203936c80912fc6ef33a18cb2a157e0ad7edf23f5d133e14f164f9f7859a1d8baf86ad8250085e77fbe25ea257cbe3cd371d0bcc01fdc8051499727be7b485dfc9b16c1cd935a7eb83dfe7e915c1a0c5561968a30256d12862e2a76fc59b7bba8cddbb4b961b4940f69d47cb1dce0fb192f891739e2223c7b75a742c6bf148cbb7f076e7bfccb608524f27eeb6df38dda3cdc6514e995e139f06715ba9a1c5a789c95202fe902681a4acb56375405045326dbffe1ffe76ac88bc7eeec1e2b0a4a4bff6375b199cb2d9ca9dcf29bba17dde272e445447f7f50b4025ec36da2e75dd3d9b440a434a3bd823ce03a669fa391f759f032646dfb6d65a9394ec2c63bf282aa5ec4904df8aa5a189c4c4af4ba7a832c361220a225dbca5743ab064dd71ee52bfca67a48b5d8adb1fffd4a2cc7fad325a943a3de81b2b871f053432014314e5e8055c8fa1975fd1dfcd6d771fc7586cc4cafd347ad8f14287f5e2b6ed9821ed7be43753a834c063aba7c41a
07:28:38 - Ack successfully written to LINK for packetId 3
07:28:38 - Control: Try read packet with code CONTROL_V1 and key 0
07:28:38 - Control: Read packet {CONTROL_V1 | 0, sid: 51f5657ce50c23e3, acks: {[3], 9052f3d6cbe99d0b}, pid: 4, [228 bytes]}
07:28:38 - Send ack for received packetId 4
07:28:38 - Control: Write ack packet {ACK_V1 | 0, sid: 9052f3d6cbe99d0b, acks: {[4], 51f5657ce50c23e3}}
07:28:38 - TLS.connect: Put received ciphertext (228 bytes)
07:28:38 - Pulled plain control data (199 bytes)
07:28:38 - TLS.auth: Parsed server random
07:28:38 - TLS.auth: Parsed server opts: "V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server"
07:28:38 - Parsed control message (0 bytes)
07:28:38 - Parsed control message (0 bytes)
07:28:38 - Parsed control message (0 bytes)
07:28:38 - Parsed control message (0 bytes)
07:28:38 - Parsed control message (0 bytes)
07:28:38 - Parsed control message (0 bytes)
07:28:38 - Ack successfully written to LINK for packetId 4
07:28:38 - TLS.ifconfig: Put plaintext (PUSH_REQUEST)
07:28:38 - TLS.ifconfig: Send pulled ciphertext (42 bytes)
07:28:38 - Control: Enqueued 1 packet [4]
07:28:38 - Control: Write control packet {CONTROL_V1 | 0, sid: 9052f3d6cbe99d0b, pid: 4, [42 bytes]}
07:28:38 - Send control packet (96 bytes): 209052f3d6cbe99d0b0000000a5cc46715681524b56453670db709e2b0dad830d70f9e3fed3c9a03e8f73f79846024636223bf06d7cc8590f711f25bb3f1fd1558657a8c6f08049b9ce02f9ebfa78fae4c8df85e03bf1160a194640862795c39
07:28:38 - Control: Skip writing packet with packetId 4 (sent on 2019-04-27 14:28:38 +0000, 0.004297018051147461 seconds ago)
07:28:38 - Control: Try read packet with code ACK_V1 and key 0
07:28:38 - Control: Read packet {ACK_V1 | 0, sid: 51f5657ce50c23e3, acks: {[4], 9052f3d6cbe99d0b}}
07:28:38 - Control: Try read packet with code CONTROL_V1 and key 0
07:28:38 - Control: Read packet {CONTROL_V1 | 0, sid: 51f5657ce50c23e3, pid: 5, [211 bytes]}
07:28:38 - Send ack for received packetId 5
07:28:38 - Control: Write ack packet {ACK_V1 | 0, sid: 9052f3d6cbe99d0b, acks: {[5], 51f5657ce50c23e3}}
07:28:38 - TLS.connect: Put received ciphertext (211 bytes)
07:28:38 - Pulled plain control data (182 bytes)
07:28:38 - Parsed control message (181 bytes)
07:28:38 - Received PUSH_REPLY: "#9b8cfef78c173da2#"
07:28:38 - Set up encryption
07:28:38 - 	Negotiated cipher: AES-256-GCM
07:28:38 - 	Negotiated keep-alive: 10.0 seconds
07:28:38 - Session did start
07:28:38 - Returned ifconfig parameters:
07:28:38 - 	Remote: #310347224060b108#
07:28:38 - 	IPv4: addr #c00a83a8513d686a# netmask 255.255.255.0 gw #38fc73bfa953c6f4# routes []
07:28:38 - 	IPv6: not configured
07:28:38 - 	Default gateway: not configured
07:28:38 - 	DNS: ["#2b624e5f15f7f2e9#"]
07:28:38 - 	Domain: not configured
07:28:38 - Ack successfully written to LINK for packetId 5
07:28:38 - Tunnel interface is now UP
07:28:48 - Send ping
07:28:48 - Data: Received ping, do nothing
07:28:58 - Data: Received ping, do nothing
07:28:59 - Send ping
07:29:08 - Data: Received ping, do nothing
07:29:10 - Send ping
07:29:15 - Stopping tunnel...
07:29:15 - Trigger shutdown on request
07:29:15 - Session did stop
07:29:15 - Failed LINK read: Error Domain=NSPOSIXErrorDomain Code=89 "Operation canceled"
07:29:15 - Socket state is cancelled (endpoint: #4d101c45a80cc5cd# -> #67afdc36eb01f063#)
07:29:15 - Cleaning up...
07:29:15 - Tunnel did stop on request
07:29:15 - Flushing log...

@keeshux
Copy link
Member Author

keeshux commented Apr 27, 2019

Wonderful! Then I'm gonna close this.

@keeshux keeshux closed this as completed Apr 27, 2019
keeshux added a commit that referenced this issue Apr 27, 2019
@keeshux
Update CHANGELOG
09a3771 
Fixes #91
keeshux added a commit that referenced this issue Apr 27, 2019
@keeshux
Update CHANGELOG
53c393f 
Fixes #91
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@keeshux keeshux

Labels
bug Something isn't working
Projects
None yet
Milestone
1.7.0
Development

No branches or pull requests
2 participants
@keeshux @roals