I fail to reproduce the problem. See below the test I performed. Please perform the same test on your side. Preparation: $ mkdir /tmp/bug1294479 $ cd /tmp/bug1294479 Installation: $ wget https://launchpad.net/rohc/iprohc-0.7.x/iprohc-0.7.1/+download/iprohc-0.7.1.tar.gz $ tar xzf iprohc-0.7.1.tar.gz $ cd iprohc-0.7.1 $ cmake CMakeLists.txt -DCMAKE_INSTALL_PREFIX=/usr -- The C compiler identification is GNU 4.7.3 -- Check for working C compiler: /usr/bin/cc -- Check for working C compiler: /usr/bin/cc -- works -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done Building from release sources Checking for threads -- Looking for include file pthread.h -- Looking for include file pthread.h - found -- Looking for pthread_create -- Looking for pthread_create - not found -- Looking for pthread_create in pthreads -- Looking for pthread_create in pthreads - not found -- Looking for pthread_create in pthread -- Looking for pthread_create in pthread - found -- Found Threads: TRUE Checking for ROHC -- Found PkgConfig: /usr/bin/pkg-config (found version "0.28") -- checking for module 'rohc' -- found rohc, version 1.7.0 -- Found ROHC: 1.7.0 -- Looking for rohc_compress2 in rohc_comp -- Looking for rohc_compress2 in rohc_comp - found Checking for libnetlink -- Header libnetlink.h found at /usr/include/libnetlink.h -- Performing Test NEW_RTNL -- Performing Test NEW_RTNL - Success -- Using new rtnl_talk prototype Checking for collectd -- Stats with collectd disabled Checking for GnuTLS -- checking for module 'gnutls' -- found gnutls, version 2.12.23 -- Found GnuTLS: /usr/lib/libgnutls.so Checking for threads Checking for GnuTLS Checking for libyaml -- Found components for YAML -- YAML_ROOT_DIR = /usr -- YAML_INCLUDES = /usr/include -- YAML_LIBRARIES = /usr/lib/libyaml.so Stats with collectd disabled -- Configuring done -- Generating done -- Build files have been written to: /tmp/bug1294479/iprohc-0.7.1 $ make all Scanning dependencies of target iprohc_common [ 9%] Building C object common/CMakeFiles/iprohc_common.dir/rohc_tunnel.c.o [ 18%] Building C object common/CMakeFiles/iprohc_common.dir/tun_helpers.c.o [ 27%] Building C object common/CMakeFiles/iprohc_common.dir/tlv.c.o Linking C shared library libiprohc_common.so [ 27%] Built target iprohc_common Scanning dependencies of target iprohc_client [ 36%] Building C object client/CMakeFiles/iprohc_client.dir/client.c.o [ 45%] Building C object client/CMakeFiles/iprohc_client.dir/messages.c.o [ 54%] Building C object client/CMakeFiles/iprohc_client.dir/tls.c.o Linking C executable iprohc_client [ 54%] Built target iprohc_client Scanning dependencies of target iprohc_server [ 63%] Building C object server/CMakeFiles/iprohc_server.dir/server.c.o [ 72%] Building C object server/CMakeFiles/iprohc_server.dir/client.c.o [ 81%] Building C object server/CMakeFiles/iprohc_server.dir/messages.c.o [ 90%] Building C object server/CMakeFiles/iprohc_server.dir/tls.c.o [100%] Building C object server/CMakeFiles/iprohc_server.dir/config.c.o Linking C executable iprohc_server [100%] Built target iprohc_server $ su - (type your root password) # cd /tmp/bug1294479/iprohc-0.7.1 # make install [ 27%] Built target iprohc_common [ 54%] Built target iprohc_client [100%] Built target iprohc_server Install the project... -- Install configuration: "" -- Installing: /usr/lib/libiprohc_common.so -- Installing: /usr/include/iprohc_common/rohc_tunnel.h -- Installing: /usr/include/iprohc_common/tlv.h -- Installing: /usr/include/iprohc_common/tun_helpers.h -- Installing: /usr/bin/iprohc_client -- Removed runtime path from "/usr/bin/iprohc_client" -- Installing: /usr/bin/iprohc_server -- Removed runtime path from "/usr/bin/iprohc_server" # cp server/iprohc_server.conf /etc/ # exit $ cd .. Create CA: $ /etc/ssl/misc/CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ..++++++ .....++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:ca Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: f8:b0:b2:11:f0:d7:3f:c2 Validity Not Before: Mar 19 18:50:51 2014 GMT Not After : Mar 18 18:50:51 2017 GMT Subject: countryName = AU stateOrProvinceName = Some-State organizationName = Internet Widgits Pty Ltd commonName = ca X509v3 extensions: X509v3 Subject Key Identifier: 83:42:4C:55:F4:09:17:BC:26:C5:7F:FC:4F:F7:C2:05:07:36:E0:02 X509v3 Authority Key Identifier: keyid:83:42:4C:55:F4:09:17:BC:26:C5:7F:FC:4F:F7:C2:05:07:36:E0:02 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Mar 18 18:50:51 2017 GMT (1095 days) Write out database with 1 new entries Data Base Updated Create server certificate: $ /etc/ssl/misc/CA.pl -newreq Generating a 1024 bit RSA private key .........................................................++++++ ...++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:server Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem $ /etc/ssl/misc/CA.pl -sign Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: f8:b0:b2:11:f0:d7:3f:c3 Validity Not Before: Mar 19 18:51:24 2014 GMT Not After : Mar 19 18:51:24 2015 GMT Subject: countryName = AU stateOrProvinceName = Some-State organizationName = Internet Widgits Pty Ltd commonName = server X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 36:F2:E3:1F:56:38:5F:04:E2:C1:81:28:6E:D8:8C:E1:6A:AE:00:F1 X509v3 Authority Key Identifier: keyid:83:42:4C:55:F4:09:17:BC:26:C5:7F:FC:4F:F7:C2:05:07:36:E0:02 Certificate is to be certified until Mar 19 18:51:24 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem $ openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile demoCA/cacert.pem -out newcert.p12 -export Enter pass phrase for newkey.pem: Enter Export Password: Verifying - Enter Export Password: $ mkdir demoCA/certs/server $ mv new* demoCA/certs/server/ Create client certificate: $ /etc/ssl/misc/CA.pl -newreq Generating a 1024 bit RSA private key .................++++++ ..++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:client1 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem $ /etc/ssl/misc/CA.pl -sign Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: f8:b0:b2:11:f0:d7:3f:c4 Validity Not Before: Mar 19 18:52:49 2014 GMT Not After : Mar 19 18:52:49 2015 GMT Subject: countryName = AU stateOrProvinceName = Some-State organizationName = Internet Widgits Pty Ltd commonName = client1 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B0:B0:93:A3:1B:3D:F1:4E:FF:B9:69:36:65:1E:F4:41:34:CD:8E:A1 X509v3 Authority Key Identifier: keyid:83:42:4C:55:F4:09:17:BC:26:C5:7F:FC:4F:F7:C2:05:07:36:E0:02 Certificate is to be certified until Mar 19 18:52:49 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem $ openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile demoCA/cacert.pem -out newcert.p12 -export Enter pass phrase for newkey.pem: Enter Export Password: Verifying - Enter Export Password: $ mkdir demoCA/certs/client1 $ mv new* demoCA/certs/client1/ Install the server certificate: $ su - (type root password) # cp /tmp/bug1294479/demoCA/certs/server/newcert.p12 /etc/ssl/server_voip.p12 # chmod go-rwx /etc/ssl/server_voip.p12 # ls -l /etc/ssl/server_voip.p12 -rw------- 1 root root 2373 19 mars 19:56 /etc/ssl/server_voip.p12 # exit Start the server: # su - (type root password) # tail -f /var/log/messages | grep iprohc_server & # /usr/bin/iprohc_server -b wlan0 # replace wlan0 by the name of your network interface Mar 19 19:58:18 xxxx iprohc_server[6823]: load server certificate from file '/etc/ssl/server_voip.p12' Mar 19 19:58:18 xxxx iprohc_server[6823]: generate Diffie–Hellman parameters (it takes a few seconds) Mar 19 19:58:19 xxxx iprohc_server[6823]: listen on TCP 0.0.0.0:3126 Mar 19 19:58:19 xxxx iprohc_server[6823]: create TUN interface Mar 19 19:58:19 xxxx iprohc_server[6823]: MTU of underlying interface 'wlan0' set to 1500 bytes Mar 19 19:58:19 xxxx iprohc_server[6823]: MTU of tunnel interface 'tun_ipip' set to 1458 bytes Mar 19 19:58:19 xxxx iprohc_server[6823]: start TUN routing thread Mar 19 19:58:19 xxxx iprohc_server[6823]: create RAW socket Mar 19 19:58:19 xxxx iprohc_server[6823]: start RAW routing thread Mar 19 19:58:19 xxxx iprohc_server[6823]: server is now ready to accept requests from clients Mar 19 19:58:19 xxxx iprohc_server[6823]: Initializing routing thread Mar 19 19:58:19 xxxx iprohc_server[6823]: Initializing routing thread Start the client (on another console): # su - (type root password) # tail -f /var/log/messages | grep iprohc_client & # /usr/bin/iprohc_client --remote 127.0.0.1 --dev iprohc_client1 \ --p12 /tmp/bug1294479/demoCA/certs/client1/newcert.p12 \ --basedev wlan0 # replace wlan0 by the name of your network interface Mar 19 19:59:50 xxxx iprohc_client[14628]: local address 127.0.0.1:34146 is used to contact server Mar 19 19:59:50 xxxx iprohc_client[14628]: TLS handshake succeeded Mar 19 19:59:50 xxxx iprohc_client[14628]: client certificate accepted Mar 19 19:59:50 xxxx iprohc_client[14628]: send connect message to server Mar 19 19:59:50 xxxx iprohc_client[14628]: wait for connect answer from server Mar 19 19:59:50 xxxx iprohc_client[14628]: MTU of underlying interface 'wlan0' set to 1500 bytes Mar 19 19:59:50 xxxx iprohc_client[14628]: MTU of tunnel interface 'iprohc_client1' set to 1458 bytes Mar 19 19:59:50 xxxx iprohc_client[14628]: run tunnel thread for new client On the console where server was started, you should see: Mar 19 19:59:50 xxxx iprohc_server[6823]: new connection from 127.0.0.1:34146 Mar 19 19:59:50 xxxx iprohc_server[6823]: TLS handshake succeeded Mar 19 19:59:50 xxxx iprohc_server[6823]: [127.0.0.1] Connection asked, negotating parameters Mar 19 19:59:50 xxxx iprohc_server[6823]: [127.0.0.1] Connection asked, negotating parameters (proto version 1, asked packing : 0) Mar 19 19:59:50 xxxx iprohc_server[6823]: [127.0.0.1] Connection started by client As you see, client successfully connected to server. Go back to the client console, and hit Ctrl+C to stop the client, you should see: Mar 19 20:00:12 xxxx iprohc_client[14628]: client interrupted, interrupt established session Mar 19 20:00:12 xxxx iprohc_client[14628]: send disconnect message to server On the console where server was started, you should see: Mar 19 20:00:12 xxxx iprohc_server[6823]: [127.0.0.1] Disconnection asked by client Mar 19 20:00:12 xxxx iprohc_server[6823]: wait for client thread to stop Mar 19 20:00:12 xxxx iprohc_server[6823]: client thread was asked to stop Mar 19 20:00:13 xxxx iprohc_server[6823]: remove context of client #0 Mar 19 20:00:13 xxxx iprohc_server[6823]: -------------------------------------------------- Mar 19 20:00:13 xxxx iprohc_server[6823]: client 127.0.0.1 Mar 19 20:00:13 xxxx iprohc_server[6823]: status: pending delete Mar 19 20:00:13 xxxx iprohc_server[6823]: -------------------------------------------------- On the console where server was started, hit Ctrl+C to stop the server, you should see: Mar 19 20:00:18 xxxx iprohc_server[6823]: SIGTERM or SIGINT received Mar 19 20:00:18 xxxx iprohc_server[6823]: someone asked to stop server Mar 19 20:00:18 xxxx iprohc_server[6823]: release resources of connected clients... Mar 19 20:00:18 xxxx iprohc_server[6823]: release TLS resources... Mar 19 20:00:18 xxxx iprohc_server[6823]: cancel RAW routing thread... Mar 19 20:00:18 xxxx iprohc_server[6823]: close RAW socket... Mar 19 20:00:18 xxxx iprohc_server[6823]: cancel TUN routing thread... Mar 19 20:00:18 xxxx iprohc_server[6823]: close TUN interface... Mar 19 20:00:18 xxxx iprohc_server[6823]: close TCP server socket... Mar 19 20:00:18 xxxx iprohc_server[6823]: remove pidfile '/var/run/iprohc_server.pid' Mar 19 20:00:18 xxxx iprohc_server[6823]: server stops with exit code 0 Mar 19 20:00:18 xxxx iprohc_server[6823]: close syslog session