Hello Bernhard, Sorry for my late reply.
The XG550 is running Firmware "SFOS 17.5.14 MR-14-1". It fall out of support end of 2021. I was in discussion with our network guys to upgrade the Firmware to latest version. As this Sophos XGs are running in HA Mode and cost 40k each we can't do this without proper testing etc...So we plan to replace them with brand new Fortinets in the IDC. Sophos Tech support couldn't provide us any hint if this could be fixed in this 17.5 FW Release as it's not under support anymore. I couldn't see any information regarding new TLS encryption functions in 18.x FW Release but i guess they fixed it. I could reply in 2-3 months once we have the Fortinets in place and proberly configured. One thing is very strange here. The Windows OpenVPN client in version 2.6 works fine compare to the Linux client. So there might be something else in the client source code ? I guess we can close this ticket for the moment ? Best regards, Henrik On Mon, 30 May 2022 11:18:41 +0200 Bernhard Schmidt <be...@debian.org> wrote: > Control: tags -1 moreinfo > > Hi Henrik, > > > The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1' > > won't connect due to TLS errors during connection attempts. > > Only downgrade to version '2.5.6-1' solves the issue. > > Have you followed up on the multiple warnings and notes from the log? > > 2022-05-29 19:07:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but > missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20- POLY1305). > OpenVPN ignores --cipher for cipher negotiations. > > 2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically > indicates that client and server have no common TLS version enabled. > This can be caused by mismatched tls-version-min and tls-version-max > options on client and server. If your OpenVPN client is between v2.3.6 > and v2.3.2 try adding tls-version-min 1.0 to the client configuration to > use TLS 1.0+ instead of TLS 1.0 only > 2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported > protocol > > Please also check up on all items in > https://github.com/OpenVPN/openvpn/blob/dco/Changes.rst . > > From your working log > > 2022-05-29 19:14:10 Control Channel: TLSv1, cipher SSLv3 > DHE-RSA-AES256-SHA, peer certificate: 2048 bit RSA, signature: RSA- SHA256 > > TLSv1 means TLSv1.0 means very very deprecated. > > > > > I had to blur some characters like IP adresses. Destination is Sophos UTM > > Appliances. > > Is that Sophos up to date? > > Bernhard > >
