[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvpn-devel
Subject:    [Openvpn-devel] [PATCH] Add message explaining early TLS client hello failure
From:       Arne Schwabe <arne () rfc2549 ! org>
Date:       2018-09-26 11:56:41
Message-ID: e895e232-eadc-ef25-132f-fbaf3ffff1ab () rfc2549 ! org
[Download RAW message or body]

Am 26.09.18 um 08:52 schrieb Antonio Quartulli:
> Hi,
> 
> On 26/09/18 06:19, Arne Schwabe wrote:
>> Am 25.09.18 um 16:31 schrieb David Sommerseth:
>>> On 25/09/18 14:48, Arne Schwabe wrote:
>>>> In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
>>>> anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
>>>> TLS 1.0 only without setting tls-version-min.
>>>>
>>>> We currently log only
>>>> OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
>>>> which indicates the right technical error but is not very helpful to a
>>>> person without deep knowledge in SSL/TLS and OpenVPN's TLS version
>>>> history.
>>>>
>>>> This commit adds a hopefully helpful message and also tells users how
>>>> to fix the old Debian 8 clients.
>>>> ---
>>>>  src/openvpn/crypto_openssl.c | 10 +++++++++-
>>>>  1 file changed, 9 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
>>>> index 9ec2048d..3360bb19 100644
>>>> --- a/src/openvpn/crypto_openssl.c
>>>> +++ b/src/openvpn/crypto_openssl.c
>>>> @@ -199,7 +199,15 @@ crypto_print_openssl_errors(const unsigned int flags)
>>>>                  "in common with the client. Your --tls-cipher setting might be "
>>>>                  "too restrictive.");
>>>>          }
>>>> -
>>>> +        else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
>>>> +        {
>>>> +            msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically "
>>>> +                 "indicates that client and server have no common TLS version enabled. "
>>>> +                 "This can be caused by mismatched tls-version-min and tls-version-max options "
>>>> +                 "on client and server. "
>>>> +                 "If your client is 2.3.6 or older  consider adding tls-version 1.1"
>>>> +                 "to the the configuration to use TLS 1.1+ instead of TLS 1.0 only");
>>>
>>>
>>> Good advice in the log.  But should this be added in the local or remote
>>> configuration?  It is the 2.3.6 reference which makes it confusing for me,
>>> otherwise I would have interpreted this as the local side where this warning
>>> occurs.  So this could be clearer.
>>
>> 2.3.7 is the first version of OpenVPN which enables TLS 1.0+ instead TLS
>> 1.0 only by default. See this commit by Steffan:
>>
>> https://github.com/OpenVPN/openvpn/commit/8dc6ed28941cb9b9167e0b466e96b5f11359eb59
>>
> 
> I think the problem is: we apply this patch to the latest 2.3.x release,
> so it will never appear on "2.3.6 or older" clients.
> Hence, does it really make sense to print that particular sentence?

This appears in the server log when a 2.3.6 client or older tries to
connect to a server that has OpenSSL 1.1.1.

I am not sure that OpenVPN 2.3.x has OpenSSL 1.1 support.

Arne




_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[prev in list] [next in list] [prev in thread] [next in thread]