Hello,
I keep having problems with road warriors connecting via SSL VPN to the Sophos device. They cannot connect to it. A part of the log file from the client side, captured with the program Viscosity, is here:
Nov 04 16:44:57: OpenVPN 2.3.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Sep 23 2015
Nov 04 16:44:57: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Nov 04 16:45:00: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 04 16:45:00: Attempting to establish TCP connection with [AF_INET]A.B.C.242:443 [nonblock]
Nov 04 16:45:01: TCP connection established with [AF_INET]A.B.C.242:443
Nov 04 16:45:01: TCPv4_CLIENT link local: [undef]
Nov 04 16:45:01: TCPv4_CLIENT link remote: [AF_INET]A.B.C.242:443
Nov 04 16:45:01: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 04 16:45:01: VERIFY ERROR: could not extract CN from X509 subject string ('C=nl, L=Wassenaar, O=Calmus BV') -- note that the username length is limited to 64 characters
Nov 04 16:45:01: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Nov 04 16:45:01: TLS Error: TLS object -> incoming plaintext read error
Nov 04 16:45:01: TLS Error: TLS handshake failed
Nov 04 16:45:01: Fatal TLS error (check_tls_errors_co), restarting
Nov 04 16:45:01: SIGUSR1[soft,tls-error] received, process restarting
I posted this on the "former bulletin board" (which btw is far easier to use etc. than this one) and was suggested to contact Viscosity about it.
Today I got a message back from James Bekkema from Viscosity, stating:
"It appears the OpenVPN server certificate was created without a Common Name (CN) set. Modern versions of OpenVPN will reject this when attempting to perform name verification of the certificate. You’ll want to re-generate your server’s certificate and ensure that a CN is set: Sophos should be able to assist you in this regard.
Otherwise you could remove the "verify-x509-name” command to turn off name verification. This option is off by default, however it appears Sophos devices have it enabled. Again, Sophos should be able to advise how to not use this option.=
The following thread on the Sophos forums also appears to contain some more information:
Before doing anything I downloaded and opened the signing CA cert, etc. All have a CN in them, so I'm lost to what's going wrong and what to do next. I know regenerating a signing CA cert is very intrusive, because I have to reissue every other cert on the Sophos after that and for every user. So is there a way or a command I can issue to disable the "verify-x509-name" on the Sophos UTM. That seems the quickest way to solve things (until Sophos solves these issues), because our employees cannot get into the network for several days now.
This thread was automatically locked due to age.
