Project

General

Profile

action #55340

Updated by ingogoeppert over 5 years ago

**Nach optionaler Installation von Xrdp bringt openVPN-client eine Fehlermeldung:** 

 Tue Jul 30 19:46:27 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
 Tue Jul 30 19:46:27 2019 TLS Error: TLS handshake failed 
 Tue Jul 30 19:46:27 2019 SIGUSR1[soft,tls-error] received, process restarting 

 **Serverseitig sieht die Fehlermeldung etwas informativer aus:** 

 Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 VERIFY ERROR: depth=0, **error=CRL has expired:** C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=donum vitae Regionalverband Bonn/Rhein-Si> 
 Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed 
 Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 TLS_ERROR: BIO read tls_read_plaintext error 
 Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 TLS Error: TLS object -> incoming plaintext read error 
 Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 TLS Error: TLS handshake failed 


 **Bei Installation von Xrdp werden RSA Keys erzeugt:** 

 if [ ! -e /etc/xrdp/rsakeys.ini ]; then 
     xrdp-keygen xrdp /etc/xrdp/rsakeys.ini 
     if [ $? -ne 0 ] || [ ! -e /etc/xrdp/rsakeys.ini ]; then 
         echo "Could not generate rsakeys.ini, please check manually!" 
     fi 
 fi 

 **/etc/xrdp/xrdp.ini:** 
 ... 
 ; security layer can be 'tls', 'rdp' or 'negotiate' 
 ; for client compatible layer 
 security_layer=negotiate 
 ; minimum security level allowed for client 
 ; can be 'none', 'low', 'medium', 'high', 'fips' 
 crypt_level=high 
 ; X.509 certificate and private key 
 ; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 
 certificate= 
 key_file= 
 ; set SSL protocols 
 ; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2' 
 ssl_protocols=TLSv1, TLSv1.1, TLSv1.2 
 ; set TLS cipher suites 
 #tls_ciphers=HIGH 

 **Frage: wie kann xrdp Funktionalität von openVPN verhindern?** 

 Problem ist wie in den Kommentaren beschrieben der Ablauf der CRL. Siehe auch: 
 https://community.openvpn.net/openvpn/wiki/CertificateRevocationListExpired 

 Die Empfehlung dort: `"In order to fix this, regenerate the CRL with a new nextUpdate value. If you don't want your CRLs expire put that value far enough into the future. "` 



Back