Re: [LEDE-DEV] [PATCH RFC 1/2] openvpn: update to 2.4_rc2

Tue, 27 Dec 2016 08:41:24 -0800 

On 25.12.2016 16:17, Magnus Kroken wrote:

Hi Martin

On 25.12.2016 14.23, Martin Blumenstingl wrote:

I guess this worked on LEDE with PolarSSL with OpenVPN 2.3:
#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
while
//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED

can you tell if I ran into some corner case (the affected server was
using OpenVPN 2.3.14, most probably with OpenSSL backend) or if this
is a real problem?
Thanks for the report. In commit 732c24a0cac4293b058c99ff7867fd13a2670eca ("mbedtls: sync with polarssl config") Felix enabled some mbedTLS config options for legacy OpenVPN client compatibility, this one should probably have been enabled as well. It might depend on other options as well, I don't know mbedTLS well enough to if that is all that's missing. I'm unable to test this at the moment, but I should be able to do some testing before the end of the year. 


Regards,
Martin



/Magnus

_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev


server:
OpenVPN 2.3.13 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 3 2016
openvpn[21369]: x.x.x.x:41964 TLS: Initial packet from [AF_INET]x.x.x.x:41964, sid=98739b91 7023f61a openvpn[21369]: x.x.x.x:41964 OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher 
openvpn[21369]: x.x.x.x:41964 TLS_ERROR: BIO read tls_read_plaintext error
openvpn[21369]: x.x.x.x:41964 TLS Error: TLS object -> incoming plaintext read error 
openvpn[21369]: x.x.x.x:41964 TLS Error: TLS handshake failed
openvpn[21369]: x.x.x.x:41964 SIGUSR1[soft,tls-error] received, client-instance restarting 

removing //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED from config.patch


client:
The certificate is signed with an unacceptable key (eg bad curve, RSA too short). as per :
"mbed TLS builds: minimum RSA key size is now 2048 bits. Shorter keys will not be accepted, both local and from the peer." 

and after the update of the keys:
Control Channel: TLSv1.2, cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384, 2048 bit key 


regards


_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Reply via email to