Project

General

Profile

action #55340

Updated by ingogoeppert about 2 years ago

**Nach optionaler Installation von Xrdp bringt openVPN-client eine Fehlermeldung:**

Tue Jul 30 19:46:27 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jul 30 19:46:27 2019 TLS Error: TLS handshake failed
Tue Jul 30 19:46:27 2019 SIGUSR1[soft,tls-error] received, process restarting

**Serverseitig sieht die Fehlermeldung etwas informativer aus:**

Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 VERIFY ERROR: depth=0, **error=CRL has expired:** C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=donum vitae Regionalverband Bonn/Rhein-Si>
Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 TLS_ERROR: BIO read tls_read_plaintext error
Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 TLS Error: TLS object -> incoming plaintext read error
Aug 10 12:11:05 inviz openvpn[2623]: 194.95.66.31:51446 TLS Error: TLS handshake failed

**Bei Installation von Xrdp werden RSA Keys erzeugt:**

if [ ! -e /etc/xrdp/rsakeys.ini ]; then
xrdp-keygen xrdp /etc/xrdp/rsakeys.ini
if [ $? -ne 0 ] || [ ! -e /etc/xrdp/rsakeys.ini ]; then
echo "Could not generate rsakeys.ini, please check manually!"
fi
fi

**/etc/xrdp/xrdp.ini:**
...
; security layer can be 'tls', 'rdp' or 'negotiate'
; for client compatible layer
security_layer=negotiate
; minimum security level allowed for client
; can be 'none', 'low', 'medium', 'high', 'fips'
crypt_level=high
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
certificate=
key_file=
; set SSL protocols
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
ssl_protocols=TLSv1, TLSv1.1, TLSv1.2
; set TLS cipher suites
#tls_ciphers=HIGH

**Frage: wie kann xrdp Funktionalität von openVPN verhindern?**

Problem ist wie in den Kommentaren beschrieben der Ablauf der CRL. Siehe auch:
https://community.openvpn.net/openvpn/wiki/CertificateRevocationListExpired

Die Empfehlung dort: `"In order to fix this, regenerate the CRL with a new nextUpdate value. If you don't want your CRLs expire put that value far enough into the future. "`


Back