Hi all, I'm using openvpn with certificates based on elliptic curves form the brainpoolP256r1 group. This works fine if the server and the clients run with debian as operating system.
If I try to connect with a client based on windows or centos using the same client.conf, the handshake fails and the server logs show the following: TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive. If I compare the ClientHello messages, the client in debian lists the brainpoolP256r1 in the Supported Group section, while the client on windows and centos do not. (See below). My question: Why does debian send this extended list of supported groups compared to the other operating systems? Are there special compile options for openvpn or openssl? Cient Hello from debian client: Frame 705: 259 bytes on wire (2072 bits), 259 bytes captured (2072 bits) on interface 0 Linux cooked capture Internet Protocol Version 4, Src: 192.168.6.98, Dst: 85.214.151.228 User Datagram Protocol, Src Port: 34738, Dst Port: 1195 OpenVPN Protocol Type: 0x20 [opcode/key_id] Session ID: 14706474520384368533 HMAC: 0b512424d819d4af7226e2a34ce3dc13a2cc52ba Packet-ID: 3 Net Time: Apr 5, 2019 11:42:18.000000000 CEST Message Packet-ID Array Length: 0 Message Packet-ID: 1 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 168 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 164 Version: TLS 1.2 (0x0303) Random: d73e15ad7f9e70417b5c1b9d672bfdb0091c830c52687ab1... Session ID Length: 0 Cipher Suites Length: 42 Cipher Suites (21 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 81 Extension: ec_point_formats (len=4) Type: ec_point_formats (11) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) Extension: supported_groups (len=28) Type: supported_groups (10) Length: 28 Supported Groups List Length: 26 Supported Groups (13 groups) Supported Group: secp256r1 (0x0017) Supported Group: secp521r1 (0x0019) Supported Group: brainpoolP512r1 (0x001c) Supported Group: brainpoolP384r1 (0x001b) Supported Group: secp384r1 (0x0018) Supported Group: brainpoolP256r1 (0x001a) Supported Group: secp256k1 (0x0016) Supported Group: sect571r1 (0x000e) Supported Group: sect571k1 (0x000d) Supported Group: sect409k1 (0x000b) Supported Group: sect409r1 (0x000c) Supported Group: sect283k1 (0x0009) Supported Group: sect283r1 (0x000a) Extension: signature_algorithms (len=32) Type: signature_algorithms (13) Length: 32 Signature Hash Algorithms Length: 30 Signature Hash Algorithms (15 algorithms) Signature Algorithm: rsa_pkcs1_sha512 (0x0601) Signature Algorithm: SHA512 DSA (0x0602) Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) Signature Algorithm: rsa_pkcs1_sha384 (0x0501) Signature Algorithm: SHA384 DSA (0x0502) Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) Signature Algorithm: rsa_pkcs1_sha256 (0x0401) Signature Algorithm: SHA256 DSA (0x0402) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Algorithm: SHA224 RSA (0x0301) Signature Algorithm: SHA224 DSA (0x0302) Signature Algorithm: SHA224 ECDSA (0x0303) Signature Algorithm: rsa_pkcs1_sha1 (0x0201) Signature Algorithm: SHA1 DSA (0x0202) Signature Algorithm: ecdsa_sha1 (0x0203) Extension: heartbeat (len=1) Type: heartbeat (15) Length: 1 Mode: Peer allowed to send requests (1) Client Hello form centos: Frame 15: 363 bytes on wire (2904 bits), 363 bytes captured (2904 bits) on interface 0 Linux cooked capture Internet Protocol Version 4, Src: 10.22.34.251, Dst: 85.214.151.228 User Datagram Protocol, Src Port: 39698, Dst Port: 1195 OpenVPN Protocol Type: 0x20 [opcode/key_id] Session ID: 2308148950700197312 HMAC: 9cb07c249c950a4be0bc55b6dbe8eeadf11d2115 Packet-ID: 3 Net Time: Apr 5, 2019 11:34:18.000000000 CEST Message Packet-ID Array Length: 0 Message Packet-ID: 2 Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 272 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 268 Version: TLS 1.2 (0x0303) Random: 203486018ca6df89afd735e86e3e540797da8b737373f73b... Session ID Length: 32 Session ID: 2165bba4bf1a54e8461d28abab61593c216587d6afc33a45... Cipher Suites Length: 50 Cipher Suites (25 suites) Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303) Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 145 Extension: ec_point_formats (len=4) Type: ec_point_formats (11) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) Extension: supported_groups (len=12) Type: supported_groups (10) Length: 12 Supported Groups List Length: 10 Supported Groups (5 groups) Supported Group: x25519 (0x001d) Supported Group: secp256r1 (0x0017) Supported Group: x448 (0x001e) Supported Group: secp521r1 (0x0019) Supported Group: secp384r1 (0x0018) Extension: encrypt_then_mac (len=0) Type: encrypt_then_mac (22) Length: 0 Extension: extended_master_secret (len=0) Type: extended_master_secret (23) Length: 0 Extension: signature_algorithms (len=48) Type: signature_algorithms (13) Length: 48 Signature Hash Algorithms Length: 46 Signature Hash Algorithms (23 algorithms) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) Signature Algorithm: ed25519 (0x0807) Signature Algorithm: ed448 (0x0808) Signature Algorithm: rsa_pss_pss_sha256 (0x0809) Signature Algorithm: rsa_pss_pss_sha384 (0x080a) Signature Algorithm: rsa_pss_pss_sha512 (0x080b) Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) Signature Algorithm: rsa_pkcs1_sha256 (0x0401) Signature Algorithm: rsa_pkcs1_sha384 (0x0501) Signature Algorithm: rsa_pkcs1_sha512 (0x0601) Signature Algorithm: SHA224 ECDSA (0x0303) Signature Algorithm: ecdsa_sha1 (0x0203) Signature Algorithm: SHA224 RSA (0x0301) Signature Algorithm: rsa_pkcs1_sha1 (0x0201) Signature Algorithm: SHA224 DSA (0x0302) Signature Algorithm: SHA1 DSA (0x0202) Signature Algorithm: SHA256 DSA (0x0402) Signature Algorithm: SHA384 DSA (0x0502) Signature Algorithm: SHA512 DSA (0x0602) Extension: supported_versions (len=9) Type: supported_versions (43) Length: 9 Supported Versions length: 8 Supported Version: TLS 1.3 (0x0304) Supported Version: TLS 1.2 (0x0303) Supported Version: TLS 1.1 (0x0302) Supported Version: TLS 1.0 (0x0301) Extension: psk_key_exchange_modes (len=2) Type: psk_key_exchange_modes (45) Length: 2 PSK Key Exchange Modes Length: 1 PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1) Extension: key_share (len=38) Type: key_share (51) Length: 38 Key Share extension Client Key Share Length: 36 Key Share Entry: Group: x25519, Key Exchange length: 32 Group: x25519 (29) Key Exchange Length: 32 Key Exchange: 124262e4a4b5f7b4f246036c7ae598f7d8bad27b2cb1f2f3... client.conf: ############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) user nobody group nogroup # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert client.crt key client.key # Verify server certificate by checking that the # certicate has the correct key usage set. # This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the keyUsage set to # digitalSignature, keyEncipherment # and the extendedKeyUsage to # serverAuth # EasyRSA can do this for you. #remote-cert-tls server # If a tls-auth key is used on the server # then every client must also have the key. tls-auth ta-cls.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. # Note that 2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20 # Parses DHCP options from openvpn to update resolv.conf up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf script-security 2 Greetings Dominik
