Ciao kp, many thanks for your suggestions
I have found that on our OpenSuSE x64 openvpn concentrator we have two packages that have different version related to [2] note; here the difference: openssl-0.9.8k-3.14.1.x86_64 libopenssl0_9_8-0.9.8k-3.14.1.x86_64 There seem to be more recent that v. 3.5.3 that are quoted in [2], so i think that our system is patched correctly. Looking for these packages on the update repository http://download.opensuse.org/update/11.2/, I can see that they are the last distributed version. I have also checked our BUC 3.1 version than correctly connect to the vpn concentrator and o have found that the libssl package is version 0.9.7l. Now i will try to install a BUC 3.1 version so I will check the openvpn client configuration from our office Do you think that our problem is related to a wrong openvpn configuration on our BUC 4.3.3? I have checked it many times looking for a mistake, but I cannot find it :-( Thanks Graziano Il 24/01/2013 18.38, KP Kirchdoerfer ha scritto: > Ciao Graziano > > Am 24.01.2013 10:42, schrieb Graziano Brioschi: >> Hello list >> >> i have a problem using openvpn on a BUC 4.3.3 installed on a PC Engines >> ALIX (cpu geode); here some messages from daemon.log when I try to >> establish my openvpn connection: >> >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: OpenVPN 2.2.2 >> i386-pc-linux-gnu [SSL] [EPOLL] [eurephia] built on Dec 28 2012 >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: NOTE: the >> current --script-security setting may allow this configuration to call >> user-defined script >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: Control Channel >> MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ] >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: Socket Buffers: >> R=[112640->131072] S=[112640->131072] >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: Data Channel MTU >> parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ] >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: UDPv4 link >> local: [undef] >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: UDPv4 link >> remote: 172.32.1.1:1194 >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: TLS: Initial >> packet from 172.32.1.1:1194, sid=da260a78 02a799a2 >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: *TLS_ERROR: BIO >> read tls_read_plaintext error: error:14092073:SSL >> routines:SSL3_GET_SERVER_HELLO:bad* >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: *TLS Error: TLS >> object -> incoming plaintext read error* >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: *TLS Error: TLS >> handshake failed* >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: TCP/UDP: Closing >> socket >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: >> SIGUSR1[soft,tls-error] received, process restarting >> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: Restart pause, 2 >> second(s) >> >> >> My openvpn server is a OpenSuSE 11.2 with openvpn 2.1.0 and openssl >> 0.9.8; the same machine is an openvpn server for many Windows clients an >> a BUC 3.1 client with no problems (it is in production since early 2009) >> >> I have tried to search on google about the TSL BIO error and it seems to >> be an openssl bug: give a look here >> https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=538456 >> https://bugzilla.redhat.com/show_bug.cgi?id=537962 > I read it as security issue [1]. > >> Someone have some suggestions? Or I must install an old BUC version? >> Upgrading the OpenSUSE 11.2 vpn concentrator is not an option :-( ! > Can you confirm that your OpenSuse 11.2 vpn concentrator has received > the security updates? [2] > > kp > > > > [1] from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 > "The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as > used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in > the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS > 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and > earlier, multiple Cisco products, and other products, does not properly > associate renegotiation handshakes with an existing connection, which > allows man-in-the-middle attackers to insert data into HTTPS sessions, > and possibly other types of sessions protected by TLS or SSL, by sending > an unauthenticated request that is processed retroactively by a server > in a post-renegotiation context, related to a "plaintext injection" > attack, aka the "Project Mogul" issue. " > > [2] > http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnnow-d2d > ------------------------------------------------------------------------ > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ -- Graziano Brioschi Outland s.a.s. sede operativa: Via A. Don Rocca, 13 20030, Senago (MI) tel: 02 9948 6014 mobile: 328 8382622 email: graziano.brios...@outland.it --> U4E <-- ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
