vpn

TLS Error: TLS handshake failed, TLS Error: local/remote TLS keys are out of sync

Bartosz Maciejewski

2 min read
TLS Error: TLS handshake failed, TLS Error: local/remote TLS keys are out of sync
Photo by Privecstasy / Unsplash

My rocksolid OpenVPN server dropped every connection at once. Quick inspection of logs on server shown:

2022-01-17 11:07:28 us=339922 MULTI: multi_create_instance called
2022-01-17 11:07:28 us=340120 x.x.x.x:65086 Re-using SSL/TLS context
2022-01-17 11:07:28 us=340967 x.x.x.x:65086 LZO compression initializing
2022-01-17 11:07:28 us=341993 x.x.x.x:65086 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2022-01-17 11:07:28 us=342065 x.x.x.x:65086 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2022-01-17 11:07:28 us=342206 x.x.x.x:65086 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-server'
2022-01-17 11:07:28 us=342246 x.x.x.x:65086 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-client'
2022-01-17 11:07:28 us=342351 x.x.x.x:65086 TLS: Initial packet from [AF_INET6]::ffff:x.x.x.x:65086, sid=33e4c66f df7fe02b

And on client machine:

Jan 17 11:08:22 claptrap openvpn[12231]: TLS: Initial packet from [AF_INET]y.y.y.y:1194, sid=c5357c72 f8ffdb04
Jan 17 11:08:22 claptrap openvpn[12231]: VERIFY ERROR: depth=1, error=certificate has expired: C=PL, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=xxx, name=xxx, emailAddress=xxx, serial=xxx
Jan 17 11:08:22 claptrap openvpn[12231]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Jan 17 11:08:22 claptrap openvpn[12231]: TLS_ERROR: BIO read tls_read_plaintext error
Jan 17 11:08:22 claptrap openvpn[12231]: TLS Error: TLS object -> incoming plaintext read error
Jan 17 11:08:22 claptrap openvpn[12231]: TLS Error: TLS handshake failed
Jan 17 11:08:22 claptrap openvpn[12231]: SIGUSR1[soft,tls-error] received, process restarting
Jan 17 11:08:22 claptrap openvpn[12231]: Restart pause, 5 second(s)

Normally I would asume some ISP error, or firewall that started to block port for OpenVPN. But today was different because I sam also this kind of error:

TLS Error: local/remote TLS keys are out of sync: [AF_INET]x.x.x.x:

Restarting and checking every client didn't bringed back connections and tunnels, so I checked one thing left - my CA cert, and.. .voila... 10 years have passed...

dom# cd /usr/pkg/etc/openvpn/
dom# openssl x509 -in ca.crt -dates -noout
notBefore=Jan 20 07:53:20 2012 GMT
notAfter=Jan 17 07:53:20 2022 GMT

On this stage, one and only way to solve this is to regenerate CA certificate, issue new one for clients and sign it with new cert. Oh.. Mondays!

Read more