Cannot load certificate file in builds 1581 & 1589

Got a problem with Viscosity or need help? Ask here!

brianfeucht

Posts: 1
Joined: Thu Jan 17, 2019 2:43 am

Post by brianfeucht » Thu Jan 17, 2019 2:49 am
Multiple users on my team are running into this issue. When we update our Viscosity client to Version 1.7.13 Builds 1581 or 1589 we are not able to connect to our VPN service.

Failure state:
Code: Select all
Jan 16 10:46:07: State changed to Connecting
Jan 16 10:46:07: Viscosity Windows 1.7.13 (1589)
Jan 16 10:46:07: Running on Microsoft Windows 10 Pro
Jan 16 10:46:07: Running on .NET Framework Version 4.7.03062.461814
Jan 16 10:46:07: Bringing up interface...
Jan 16 10:46:08: OpenVPN 2.4.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on Jan 15 2019
Jan 16 10:46:08: library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.09
Jan 16 10:46:08: Checking remote host "*.*.*.*" is reachable...
Jan 16 10:46:08: Server reachable. Connecting to *.*.*.*.
Jan 16 10:46:09: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan 16 10:46:09: OpenSSL: error:0906D066:PEM routines:PEM_read_bio:bad end line
Jan 16 10:46:09: OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Jan 16 10:46:09: Cannot load certificate file C:\Users\user\AppData\Roaming\Viscosity\OpenVPN\2\cert.crt
Jan 16 10:46:09: Exiting due to fatal error
Jan 16 10:46:09: State changed to Disconnected
Logs for when we roll back to 1.7.12 using the same user and cert file:
Code: Select all
Jan 16 10:44:01: State changed to Connecting
Jan 16 10:44:01: Viscosity Windows 1.7.12 (1581)
Jan 16 10:44:01: Running on Microsoft Windows 10 Pro
Jan 16 10:44:01: Running on .NET Framework Version 4.7.03062.461814
Jan 16 10:44:01: Bringing up interface...
Jan 16 10:44:01: OpenVPN 2.4.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2018
Jan 16 10:44:01: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.09
Jan 16 10:44:02: Checking remote host "*.*.*.*" is reachable...
Jan 16 10:44:02: Server reachable. Connecting to *.*.*.*.
Jan 16 10:44:03: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan 16 10:44:03: TCP/UDP: Preserving recently used remote address: [AF_INET]*.*.*.*:1194
Jan 16 10:44:03: UDP link local (bound): [AF_INET][undef]:1194
Jan 16 10:44:03: UDP link remote: [AF_INET]*.*.*.*:1194
Jan 16 10:44:03: State changed to Authenticating
Jan 16 10:44:04: TLS Error: local/remote TLS keys are out of sync: [AF_INET]*.*.*.*:1194 [0]
Jan 16 10:44:04: [server] Peer Connection Initiated with [AF_INET]*.*.*.*:1194
Jan 16 10:44:05: State changed to Connecting
Jan 16 10:44:06: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Jan 16 10:44:06: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Jan 16 10:44:06: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Jan 16 10:44:06: open_tun
Jan 16 10:44:06: TAP-WIN32 device [AWS EC2 Classic] opened: \\.\Global\{09AD6841-6227-42FA-9E3F-4BB51FF1986C}.tap
Jan 16 10:44:06: Notified TAP-Windows driver to set a DHCP IP/netmask of *.*.*.*/255.255.255.252 on interface {09AD6841-6227-42FA-9E3F-4BB51FF1986C} [DHCP-serv: *.*.*.*, lease-time: 31536000]
Jan 16 10:44:06: Successful ARP Flush on interface [2] {09AD6841-6227-42FA-9E3F-4BB51FF1986C}
Jan 16 10:44:06: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 16 10:44:10: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 16 10:44:10: Initialization Sequence Completed
Jan 16 10:44:11: State changed to Connected

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu Jan 17, 2019 12:18 pm
Hi Brian,

Thanks for reporting this. Are you able to send us a copy of your cert file (only the cert file, not the key) and your config file?

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu Jan 17, 2019 7:11 pm
Hi Brian,

I think we've found the underlying issue. We've just released 1.7.13.1 Beta 1 to our beta stream which will hopefully resolve this issue. We'd highly appreciate it if you could grab the beta and let us know if the problem still occurs!

https://sparklabs.com/support/kb/articl ... -versions/

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

ludwig.gramberg

Posts: 2
Joined: Wed Dec 12, 2018 10:53 am

Post by ludwig.gramberg » Thu Jan 17, 2019 10:45 pm
I have the same problem and can confirm that the beta (1590) fixes this

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Fri Jan 18, 2019 3:25 am
Thanks Ludwig!
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
5 posts Page 1 of 1