Package: openvpn Version: 2.5.6-1 Severity: important Dear Debian OpenVPN Maintenaner,
This is a pretty serious bug as it breaks the usage of VPN. The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1' won't connect due to TLS errors during connection attempts. Only downgrade to version '2.5.6-1' solves the issue. I had to blur some characters like IP adresses. Destination is Sophos UTM Appliances. I attached a textfile which compare both outputs of each release. Best regards, Henrik -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-3-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.79 ii iproute2 5.17.0-2 ii libc6 2.33-7 ii liblz4-1 1.9.3-2 ii liblzo2-2 2.10-2 ii libpam0g 1.4.0-13 ii libpkcs11-helper1 1.28-1+b1 ii libssl1.1 1.1.1o-1 ii libsystemd0 251.1-1 ii lsb-base 11.2 Versions of packages openvpn recommends: ii easy-rsa 3.0.8-1 Versions of packages openvpn suggests: ii openssl 3.0.3-5 pn openvpn-systemd-resolved <none> pn resolvconf <none> -- debconf information: openvpn/create_tun: false
Output latest OpenVPN Debian/SID release '2.6.0~git20220518+dco-1' in repo - This version doesn't connect to destination ! root@debian:/home/henrik/Downloads# openvpn hschoepel@ssl_vpn_config.ovpn 2022-05-29 19:07:47 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2022-05-29 19:07:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 2022-05-29 19:07:47 Cannot find ovpn_dco netlink component: Object not found 2022-05-29 19:07:47 Note: Kernel support for ovpn-dco missing, disabling data channel offload. 2022-05-29 19:07:47 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 20 2022 2022-05-29 19:07:47 library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10 Enter Auth Username: hschoepel 🔐 Enter Auth Password: ****** 2022-05-29 19:08:08 TCP/UDP: Preserving recently used remote address: [AF_INET]*********:8443 2022-05-29 19:08:08 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-05-29 19:08:08 Attempting to establish TCP connection with [AF_INET]*********:8443 2022-05-29 19:08:08 TCP connection established with [AF_INET]*********:8443 2022-05-29 19:08:08 Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92) 2022-05-29 19:08:08 TCP_CLIENT link local: (not bound) 2022-05-29 19:08:08 TCP_CLIENT link remote: [AF_INET]*********:8443 2022-05-29 19:08:08 TLS: Initial packet from [AF_INET]*********.35:8443, sid=2a3742bf 758117bf 2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only 2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported protocol 2022-05-29 19:08:08 TLS_ERROR: BIO read tls_read_plaintext error 2022-05-29 19:08:08 TLS Error: TLS object -> incoming plaintext read error 2022-05-29 19:08:08 TLS Error: TLS handshake failed 2022-05-29 19:08:08 Fatal TLS error (check_tls_errors_co), restarting 2022-05-29 19:08:08 SIGUSR1[soft,tls-error] received, process restarting 2022-05-29 19:08:08 Restart pause, 5 second(s) 2022-05-29 19:08:13 TCP/UDP: Preserving recently used remote address: [AF_INET]*********:8443 2022-05-29 19:08:13 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-05-29 19:08:13 Attempting to establish TCP connection with [AF_INET]*********:8443 2022-05-29 19:08:13 TCP connection established with [AF_INET]*********:8443 2022-05-29 19:08:13 Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92) 2022-05-29 19:08:13 TCP_CLIENT link local: (not bound) 2022-05-29 19:08:13 TCP_CLIENT link remote: [AF_INET]*********:8443 2022-05-29 19:08:13 TLS: Initial packet from [AF_INET]*********:8443, sid=eceadd8a 6679da5c 2022-05-29 19:08:13 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only 2022-05-29 19:08:13 OpenSSL: error:0A000102:SSL routines::unsupported protocol 2022-05-29 19:08:13 TLS_ERROR: BIO read tls_read_plaintext error 2022-05-29 19:08:13 TLS Error: TLS object -> incoming plaintext read error 2022-05-29 19:08:13 TLS Error: TLS handshake failed 2022-05-29 19:08:13 Fatal TLS error (check_tls_errors_co), restarting 2022-05-29 19:08:13 SIGUSR1[soft,tls-error] received, process restarting 2022-05-29 19:08:13 Restart pause, 5 second(s) Output OpenVPN Debian/SID release '2.6.0~git20220518+dco-1' - This version connects just fine to destination ! root@debian:/home/henrik/Downloads# openvpn hschoepel@ssl_vpn_config.ovpn 2022-05-29 19:13:41 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2022-05-29 19:13:41 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. 2022-05-29 19:13:41 OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 20 2022 2022-05-29 19:13:41 library versions: OpenSSL 1.1.1o 3 May 2022, LZO 2.10 Enter Auth Username: hschoepel 🔐 Enter Auth Password: **************** 2022-05-29 19:14:09 TCP/UDP: Preserving recently used remote address: [AF_INET]*********:8443 2022-05-29 19:14:09 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-05-29 19:14:09 Attempting to establish TCP connection with [AF_INET]*********:8443 [nonblock] 2022-05-29 19:14:09 TCP connection established with [AF_INET]*********:8443 2022-05-29 19:14:09 TCP_CLIENT link local: (not bound) 2022-05-29 19:14:09 TCP_CLIENT link remote: [AF_INET]*********:8443 2022-05-29 19:14:09 TLS: Initial packet from [AF_INET]*********:8443, sid=35f93a56 414d6e12 2022-05-29 19:14:09 VERIFY OK: depth=1, C=DE, ST=*********, L=*********, O=*********, OU=OU, CN=Sophos_CA_C51028TQFXXK621, emailAddress=********* 2022-05-29 19:14:09 VERIFY X509NAME OK: C=DE, ST=*********, L=*********, O=*********, OU=OU, CN=SophosApplianceCertificate_C51028TQFXXK621, emailAddress=********* 2022-05-29 19:14:09 VERIFY OK: depth=0, C=DE, ST=MV, L=Schwerin, O=Datagroup Bremen, OU=OU, CN=SophosApplianceCertificate_C51028TQFXXK621, emailAddress=********* 2022-05-29 19:14:10 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2022-05-29 19:14:10 [SophosApplianceCertificate_C51028TQFXXK621] Peer Connection Initiated with [AF_INET]*********:8443 2022-05-29 19:14:11 SENT CONTROL [SophosApplianceCertificate_C51028TQFXXK621]: 'PUSH_REQUEST' (status=1) 2022-05-29 19:14:16 SENT CONTROL [SophosApplianceCertificate_C51028TQFXXK621]: 'PUSH_REQUEST' (status=1) 2022-05-29 19:14:16 PUSH: Received control message: 'PUSH_REPLY,route-gateway ...... Couldn't find any simmilar up2date bug reports via Google related to OpenVPN on Debian/SID. Greetings, Henrik
