Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 11706 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN SSL Peer Certificate Verification Error

JeffCooper

Hi,

We have a XGS2300 (SFOS 19.5.3 MR-3-Build652 with an SSL Remote Access VPN with OpenVPN clients.

Not sure if this was a Sophos or OpenVPN issue but I had to start somewhere.

I had a user call last last night with a Peer Certificate Verification Error. When I tested my connection, I got the same error. Connected to Sophos Central, looked around, all looked ok. I hadn't changed anything and actually my own VPN was working fine earlier in the day. We did renew our certificate recently but this was a couple weeks ago. The previous (now expire cert) wasn't being used that I know of but did expire yesterday.

I changed the VPN cert to the appliance cert in a panic, same result. Changed it back again. A couple minutes later I tested and it worked. No idea why. As far as I know, I changed nothing.

I assume the expiring old cert did something, but for the life of me I can't figure out why it worked, then didn't, then did again.

Thanks,

Jeff



This thread was automatically locked due to age.
Parents
  • 0

    I had few clients with exactly the same problem. My workaround was on OpenVPN client --> Settings --> Advanced settings --> Security = Allow INSECURE cryptographics mechanisms. 

  • 0 in reply to Andrej Pirman

    Was this changes required for a 3rd party certificate or self signed certificate or with Appliance certificate?

  • 0 in reply to Alok

    Among 30 SSLVPN users with Android clients, only few of them had problems. It was Appliance certificate, default install, it is valid till 2038, self-signing CA also.

    Weird was, customer called, I tried on my Samsung s21, and it worked. Then I tried another VPN user oups...problem. Compared working and non-working user's cerrificates and could not find differences. 

    So I came up with mentioned workaround. I am not paid well enough to dig into problem in depth.

Reply
  • 0 in reply to Alok

    Among 30 SSLVPN users with Android clients, only few of them had problems. It was Appliance certificate, default install, it is valid till 2038, self-signing CA also.

    Weird was, customer called, I tried on my Samsung s21, and it worked. Then I tried another VPN user oups...problem. Compared working and non-working user's cerrificates and could not find differences. 

    So I came up with mentioned workaround. I am not paid well enough to dig into problem in depth.

Children
No Data
Unfiltered HTML