Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 14982 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Verification Error??

Justin Rutledge

I have a brand new install I just did with Sophos XG.  I have one user created for testing purposes.  When trying to connect to SSL VPN using TunnelBlick with my mac, I get the following error:

 

2017-09-05 22:36:49 VERIFY ERROR: depth=0, error=format error in certificate's notBefore field: C=US, ST=NA, L=NA, O=RutledgeTech, OU=OU, CN=SophosApplianceCertificate_C01001B2WQ74TE5, emailAddress=justin@rutledge1188.com

2017-09-05 22:36:49 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2017-09-05 22:36:49 TLS_ERROR: BIO read tls_read_plaintext error

2017-09-05 22:36:49 TLS Error: TLS object -> incoming plaintext read error

2017-09-05 22:36:49 TLS Error: TLS handshake failed

 

Again this is a brand new fresh firewall.  I haven't messed with anything other than a few firewall rules and setting up the one user.  I have tried re-generating the appliance cert and re-creating the user.  that didn't help :( .   Any ideas where I should look next?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Justin Rutledge

    I've had the same issue recently, my SSL VPN had always worked fine and then suddenly I was getting this error after upgrading my Mac to the latest 'High Sierra' OS. I've been using TunnelBlick as the OpenVPN client 

    After a bit of seacrching, I came across a discussion which seemed to suggest that this might be happening because of the way that RFC5280 is being enforced in newer versions of OpenVPN, in particular, the 'TimeZone' value must be present in the certificate. Here's the discussion I found...

    Back in February, OpenSSL on GitHub decided to strictly enforce RFC5280 Now enforcing:
     
    no fractions
    no offsets
    seconds must be present
    Z is required
    digits must be 0-9 (but we don't check that the date/time is valid)
     
    In my case, I created self-signed certificates with a GeneralizedTime notBefore date. GeneralizedTime is now only valid for dates in 2050 or later. To fix this issue, I need to recreate my certificates with UTCTime.
     
    GeneralizedTime is as follows:
    YYYYMMDDHHMMSSZ
     
    UTCTime is as follows:
    YYMMDDHHMMSSZ

    Does anybody think that this may be true and if so, how do we add the Time Zone value to the self-signed cert on XG, I couldn't see any fields for that? As a workaround, I've changed the authentication mechanism TunnelBlick uses to be OpenSSL, but this just a temporary fix as this will soon enforce RFC5280 also.

    Any ideas would be helpful, thanks.