[操作疑難] Synology 加咗張真Cert之後OpenVPN連接出現TLS Error

未加真Cert之前完全無問題,自從加咗張真Cert之後OpenVPN連接時就出現以下Error

Thu Apr 28 10:37:00 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 10 2016
Thu Apr 28 10:37:00 2016 Windows version 6.1 (Windows 7)
Thu Apr 28 10:37:00 2016 library versions: OpenSSL 1.0.1s  1 Mar 2016, LZO 2.09
Thu Apr 28 10:37:04 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Apr 28 10:37:05 2016 Attempting to establish TCP connection with [AF_INET]xxx.176.xxx.172:8625 [nonblock]
Thu Apr 28 10:37:06 2016 TCP connection established with [AF_INET]xxx.176.xxx.172:8625
Thu Apr 28 10:37:06 2016 TCPv4_CLIENT link local: [undef]
Thu Apr 28 10:37:06 2016 TCPv4_CLIENT link remote: [AF_INET]
xxx.176.xxx.172:8625

Thu Apr 28 10:37:06 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 28 10:37:06 2016 VERIFY ERROR: depth=2, error=unable to get issuer certificate: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Thu Apr 28 10:37:06 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thu Apr 28 10:37:06 2016 TLS Error: TLS object -> incoming plaintext read error
Thu Apr 28 10:37:06 2016 TLS Error: TLS handshake failed
Thu Apr 28 10:37:06 2016 Fatal TLS error (check_tls_errors_co), restarting
Thu Apr 28 10:37:06 2016 SIGUSR1[soft,tls-error] received, process restarting



已經試過重裝OpenVPN再Export張Cert再連接都是這樣,請問有無人知道點解??

回覆 1# hackentsui


Did u add the Intermediate Cert from COMODO ?

TOP

有無試過在dsm 重新retrive ca.crt, server.crt, server.key
貼番上config.open 入面
我未試過真cert,所以都係估下
等你分享結果

TOP

回覆  hackentsui


Did u add the Intermediate Cert from COMODO ?
ngsamson 發表於 2016-4-28 10:53


Yup, already install on dsm security pages, photo station can be via https without any warning...

TOP

Yup, already install on dsm security pages, photo station can be via https without any warning... ...
hackentsui 發表於 2016-4-28 12:20


https://www.ssllabs.com/ssltest/
https://www.digicert.com/help/

用呢類網站check下
有時IE話cert OK但係其實cert chain係唔valid

TOP

TOP

有冇試過唔用TLS。
另外,你將Cert個加密方式同唔同你個Router/NAS Setting,例如AES256,用1024定2048bit等等

TOP