Project

General

Profile

Actions
Copy link

action #55340

closed

Nach Installation von xrdp funktioniert openVPN nicht mehr

Added by EDV_Lotse over 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
EDV_Lotse
Category:
Feature
Target version:
14.2
Start date:
2019-08-11
Due date:
2020-06-01
% Done:

100%

Estimated time:

Description

Nach optionaler Installation von Xrdp bringt openVPN-client eine Fehlermeldung:

Tue Jul 30 19:46:27 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jul 30 19:46:27 2019 TLS Error: TLS handshake failed
Tue Jul 30 19:46:27 2019 SIGUSR1[soft,tls-error] received, process restarting

Serverseitig sieht die Fehlermeldung etwas informativer aus:

Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 VERIFY ERROR: depth=0, error=CRL has expired: C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=donum vitae Regionalverband Bonn/Rhein-Si>
Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 TLS_ERROR: BIO read tls_read_plaintext error
Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 TLS Error: TLS object -> incoming plaintext read error
Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 TLS Error: TLS handshake failed

Bei Installation von Xrdp werden RSA Keys erzeugt:

if [ ! -e /etc/xrdp/rsakeys.ini ]; then
xrdp-keygen xrdp /etc/xrdp/rsakeys.ini
if [ $? -ne 0 ] || [ ! -e /etc/xrdp/rsakeys.ini ]; then
echo "Could not generate rsakeys.ini, please check manually!"
fi
fi

/etc/xrdp/xrdp.ini:
...
; security layer can be 'tls', 'rdp' or 'negotiate'
; for client compatible layer
security_layer=negotiate
; minimum security level allowed for client
; can be 'none', 'low', 'medium', 'high', 'fips'
crypt_level=high
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
certificate=
key_file=
; set SSL protocols
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
ssl_protocols=TLSv1, TLSv1.1, TLSv1.2
; set TLS cipher suites
#tls_ciphers=HIGH

Frage: wie kann xrdp Funktionalität von openVPN verhindern?

Problem ist wie in den Kommentaren beschrieben der Ablauf der CRL. Siehe auch:
https://community.openvpn.net/openvpn/wiki/CertificateRevocationListExpired

Die Empfehlung dort: "In order to fix this, regenerate the CRL with a new nextUpdate value. If you don't want your CRLs expire put that value far enough into the future. "

Related issues 1 (0 open1 closed)

Related to invisAD-setup - action #63631: We should publish the CRL expiration date via invis portalClosed2020-02-20

Actions
Actions
Copy link

Also available in: Atom PDF