tls-crypt error when client cert is expired #933
Description
As requested by Gert.... using EduVPN (which deploys short-lived client certs to the OpenVPN clients) the error message on an expired client cert is misleading.
2025-12-09 21:24:45 TLS: Initial packet from [AF_INET6]2001:4ca0:0:123::81bb:7a6:1194, sid=8ef5e9f0 2a7bb487
2025-12-09 21:24:45 VERIFY OK: depth=1, CN=VPN CA
2025-12-09 21:24:45 VERIFY KU OK
2025-12-09 21:24:45 Validating certificate extended key usage
2025-12-09 21:24:45 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2025-12-09 21:24:45 VERIFY EKU OK
2025-12-09 21:24:45 VERIFY OK: depth=0, OU=lrz-split-ov, CN=eduvpn-n17.srv.lrz.de
2025-12-09 21:24:45 tls-crypt unwrap error: bad packet ID (may be a replay): [ #2 / time = (1765311885) 2025-12-09 21:24:45 ] -- see the man page entry for --replay-window for more info or silence this warning with --mute-replay-warnings
2025-12-09 21:24:45 tls-crypt unwrap error: packet replay
2025-12-09 21:24:45 TLS Error: tls-crypt unwrapping failed from [AF_INET6]2001:4ca0:0:123::81bb:7a6:1194
2025-12-09 21:24:47 tls-crypt unwrap error: bad packet ID (may be a replay): [ #3 / time = (1765311885) 2025-12-09 21:24:45 ] -- see the man page entry for --replay-window for more info or silence this warning with --mute-replay-warnings
2025-12-09 21:24:47 tls-crypt unwrap error: packet replay
2025-12-09 21:24:47 TLS Error: tls-crypt unwrapping failed from [AF_INET6]2001:4ca0:0:123::81bb:7a6:1194
2025-12-09 21:24:47 tls-crypt unwrap error: bad packet ID (may be a replay): [ #4 / time = (1765311885) 2025-12-09 21:24:45 ] -- see the man page entry for --replay-window for more info or silence this warning with --mute-replay-warnings
2025-12-09 21:24:47 tls-crypt unwrap error: packet replay
2025-12-09 21:24:47 TLS Error: tls-crypt unwrapping failed from [AF_INET6]2001:4ca0:0:123::81bb:7a6:1194
2025-12-09 21:25:45 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2025-12-09 21:25:45 TLS Error: TLS handshake failed
2025-12-09 21:25:45 SIGUSR1[soft,tls-error] received, process restarting
2025-12-09 21:25:45 Restart pause, 300 second(s)
tls-crypt is actually fine (or at least it should be, since a refreshed configuration has exactly the same static key)
The client is a 2.7_rc3, the server a 2.6.3