Page 1 of 1

Cannot load certificate file in builds 1581 & 1589

Posted: Thu Jan 17, 2019 2:49 am
by brianfeucht
Multiple users on my team are running into this issue. When we update our Viscosity client to Version 1.7.13 Builds 1581 or 1589 we are not able to connect to our VPN service.

Failure state:
Code: Select all
Jan 16 10:46:07: State changed to Connecting
Jan 16 10:46:07: Viscosity Windows 1.7.13 (1589)
Jan 16 10:46:07: Running on Microsoft Windows 10 Pro
Jan 16 10:46:07: Running on .NET Framework Version 4.7.03062.461814
Jan 16 10:46:07: Bringing up interface...
Jan 16 10:46:08: OpenVPN 2.4.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on Jan 15 2019
Jan 16 10:46:08: library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.09
Jan 16 10:46:08: Checking remote host "*.*.*.*" is reachable...
Jan 16 10:46:08: Server reachable. Connecting to *.*.*.*.
Jan 16 10:46:09: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan 16 10:46:09: OpenSSL: error:0906D066:PEM routines:PEM_read_bio:bad end line
Jan 16 10:46:09: OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Jan 16 10:46:09: Cannot load certificate file C:\Users\user\AppData\Roaming\Viscosity\OpenVPN\2\cert.crt
Jan 16 10:46:09: Exiting due to fatal error
Jan 16 10:46:09: State changed to Disconnected
Logs for when we roll back to 1.7.12 using the same user and cert file:
Code: Select all
Jan 16 10:44:01: State changed to Connecting
Jan 16 10:44:01: Viscosity Windows 1.7.12 (1581)
Jan 16 10:44:01: Running on Microsoft Windows 10 Pro
Jan 16 10:44:01: Running on .NET Framework Version 4.7.03062.461814
Jan 16 10:44:01: Bringing up interface...
Jan 16 10:44:01: OpenVPN 2.4.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2018
Jan 16 10:44:01: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.09
Jan 16 10:44:02: Checking remote host "*.*.*.*" is reachable...
Jan 16 10:44:02: Server reachable. Connecting to *.*.*.*.
Jan 16 10:44:03: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan 16 10:44:03: TCP/UDP: Preserving recently used remote address: [AF_INET]*.*.*.*:1194
Jan 16 10:44:03: UDP link local (bound): [AF_INET][undef]:1194
Jan 16 10:44:03: UDP link remote: [AF_INET]*.*.*.*:1194
Jan 16 10:44:03: State changed to Authenticating
Jan 16 10:44:04: TLS Error: local/remote TLS keys are out of sync: [AF_INET]*.*.*.*:1194 [0]
Jan 16 10:44:04: [server] Peer Connection Initiated with [AF_INET]*.*.*.*:1194
Jan 16 10:44:05: State changed to Connecting
Jan 16 10:44:06: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Jan 16 10:44:06: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Jan 16 10:44:06: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Jan 16 10:44:06: open_tun
Jan 16 10:44:06: TAP-WIN32 device [AWS EC2 Classic] opened: \\.\Global\{09AD6841-6227-42FA-9E3F-4BB51FF1986C}.tap
Jan 16 10:44:06: Notified TAP-Windows driver to set a DHCP IP/netmask of *.*.*.*/255.255.255.252 on interface {09AD6841-6227-42FA-9E3F-4BB51FF1986C} [DHCP-serv: *.*.*.*, lease-time: 31536000]
Jan 16 10:44:06: Successful ARP Flush on interface [2] {09AD6841-6227-42FA-9E3F-4BB51FF1986C}
Jan 16 10:44:06: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 16 10:44:10: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 16 10:44:10: Initialization Sequence Completed
Jan 16 10:44:11: State changed to Connected

Re: Cannot load certificate file in builds 1581 & 1589

Posted: Thu Jan 17, 2019 12:18 pm
by Eric
Hi Brian,

Thanks for reporting this. Are you able to send us a copy of your cert file (only the cert file, not the key) and your config file?

Regards,
Eric

Re: Cannot load certificate file in builds 1581 & 1589

Posted: Thu Jan 17, 2019 7:11 pm
by Eric
Hi Brian,

I think we've found the underlying issue. We've just released 1.7.13.1 Beta 1 to our beta stream which will hopefully resolve this issue. We'd highly appreciate it if you could grab the beta and let us know if the problem still occurs!

https://sparklabs.com/support/kb/articl ... -versions/

Regards,
Eric

Re: Cannot load certificate file in builds 1581 & 1589

Posted: Thu Jan 17, 2019 10:45 pm
by ludwig.gramberg
I have the same problem and can confirm that the beta (1590) fixes this

Re: Cannot load certificate file in builds 1581 & 1589

Posted: Fri Jan 18, 2019 3:25 am
by Eric
Thanks Ludwig!