On 25.12.2016 16:17, Magnus Kroken wrote:
Hi Martin
On 25.12.2016 14.23, Martin Blumenstingl wrote:
I guess this worked on LEDE with PolarSSL with OpenVPN 2.3:
#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
while
//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
can you tell if I ran into some corner case (the affected server was
using OpenVPN 2.3.14, most probably with OpenSSL backend) or if this
is a real problem?
Thanks for the report. In commit
732c24a0cac4293b058c99ff7867fd13a2670eca ("mbedtls: sync with polarssl
config") Felix enabled some mbedTLS config options for legacy OpenVPN
client compatibility, this one should probably have been enabled as
well. It might depend on other options as well, I don't know mbedTLS
well enough to if that is all that's missing. I'm unable to test this
at the moment, but I should be able to do some testing before the end
of the year.
Regards,
Martin
/Magnus
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
server:
OpenVPN 2.3.13 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL]
[PKCS11] [MH] [IPv6] built on Nov 3 2016
openvpn[21369]: x.x.x.x:41964 TLS: Initial packet from
[AF_INET]x.x.x.x:41964, sid=98739b91 7023f61a
openvpn[21369]: x.x.x.x:41964 OpenSSL: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
openvpn[21369]: x.x.x.x:41964 TLS_ERROR: BIO read tls_read_plaintext error
openvpn[21369]: x.x.x.x:41964 TLS Error: TLS object -> incoming
plaintext read error
openvpn[21369]: x.x.x.x:41964 TLS Error: TLS handshake failed
openvpn[21369]: x.x.x.x:41964 SIGUSR1[soft,tls-error] received,
client-instance restarting
removing //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED from config.patch
client:
The certificate is signed with an unacceptable key (eg bad curve, RSA
too short). as per :
"mbed TLS builds: minimum RSA key size is now 2048 bits. Shorter keys
will not be accepted, both local and from the peer."
and after the update of the keys:
Control Channel: TLSv1.2, cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384,
2048 bit key
regards
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev