[Pkg-openssl-devel] Bug#912864: Bug#912864: openssl: new version of openssl breaks some openvpn clients

Kurt Roeckx kurt at roeckx.be
Sun Nov 4 17:43:53 GMT 2018 

On Sun, Nov 04, 2018 at 08:59:05AM -0800, James Bottomley wrote:
> Package: openssl
> Version: 1.1.1-2
> Severity: important
> 
> I've applied all the downgrades recommended to the openssl.cnf file
> and most services are now working again with the exception of openvpn.
> 
> The only failure seems to be a VPN connection to an openwrt router.
> The router is running Chaos Calmer 15.05 and has an upgraded openssl
> (to 1.0.2g-1).
> 
> The error is on the debian server side and only shows up at openvpn
> extreme verbosity:
> 
> Sun Nov  4 08:40:04 2018 us=149552 50.35.68.20:56038 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
> 
> The full verbose negotiation is
> 
> Sun Nov  4 08:40:04 2018 us=116122 50.35.68.20:56038 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
> Sun Nov  4 08:40:04 2018 us=116160 50.35.68.20:56038 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
> Sun Nov  4 08:40:04 2018 us=116243 50.35.68.20:56038 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
> Sun Nov  4 08:40:04 2018 us=116263 50.35.68.20:56038 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
> RSun Nov  4 08:40:04 2018 us=116336 50.35.68.20:56038 TLS: Initial packet from [AF_INET]50.35.68.20:56038, sid=812b650a 26613bfb
> WRRWRSun Nov  4 08:40:04 2018 us=149552 50.35.68.20:56038 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
> Sun Nov  4 08:40:04 2018 us=150331 50.35.68.20:56038 TLS_ERROR: BIO read tls_read_plaintext error
> Sun Nov  4 08:40:04 2018 us=150984 50.35.68.20:56038 TLS Error: TLS object -> incoming plaintext read error
> Sun Nov  4 08:40:04 2018 us=151598 50.35.68.20:56038 TLS Error: TLS handshake failed
> Sun Nov  4 08:40:04 2018 us=152357 50.35.68.20:56038 SIGUSR1[soft,tls-error] received, client-instance restarting
> 
> Obviously this was all working with 1.1.0 so something seems to have
> changed in the tls negotiation routines.
> 
> I can fix this in the client by adding the openssl command
> --tls-version-min 1.0 so it probably means, the way openvpn works that
> the openssl version installed in openwrt has some strange TLS version
> < 1.0 but clearly openssl shouldn't error out when presented with
> lower ciphers it should negotiate the mutually acceptable version.

Older versions of openvpn only support TLS 1.0 because they told
OpenSSL to only use TLS 1.0. Adding the --tls-version-min 1.0
should make it support all TLS versions since openvpn 2.3.4 or
something like that, and I think 2.4 or newer should just work.

But if you changed the openssl.cfg to say all versions are
supported, it should work too, I'm not sure why you say otherwise.


Kurt

More information about the Pkg-openssl-devel mailing list