[Bug 1385851] Re: OpenVPN only supports TLS v1.0
Haw Loeung
1385851 at bugs.launchpad.net
Wed Aug 26 01:36:29 UTC 2015
Any chance we could backport support for TLS v1.1+ to Trusty LTS?
** Description changed:
Hi Guys,
Seems the version of OpenVPN we're carrying only supports and/or is able
to negotiate TLS v1.0. The patch below has landed in upstream OpenVPN
2.3.3 and replaces TLSv1_server_method() calls with
+ SSLv23_server_method() and TLSv1_client_method() with
SSLv23_client_method().
https://github.com/OpenVPN/openvpn/commit/4b67f9849ab3efe89268e01afddc7795f38d0f64
For example, when OpenVPN tls-ciphers is configured with TLS v1.2
ciphers:
| tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH-
AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-
AES-128-CBC-SHA
Logs shows negotiating at TLS v1.0:
| Oct 26 21:58:47 ragnar ovpn-canonical[19470]: Control Channel: TLSv1,
cipher TLSv1/SSLv3 DHE-RSA-AES128-SHA, 2048 bit RSA
When TLS v1.1 and/or v1.2 ciphers are only specified, sessions fail:
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS object -> incoming plaintext read error
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS handshake failed
| Oct 26 21:58:31 ragnar ovpn-canonical[19470]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=eca7ea6c 067ea30f
Could we please consider either packaging >= 2.3.3 or backporting this
patch?
Thanks,
Haw
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openvpn in Ubuntu.
https://bugs.launchpad.net/bugs/1385851
Title:
OpenVPN only supports TLS v1.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1385851/+subscriptions
More information about the Ubuntu-server-bugs
mailing list