Hi, On Wed, Apr 23, 2014 at 11:36:28AM -0400, Timothe Litt wrote: > Just to confirm that the issue is 1.2, not the negotiation: > > I added an unconditional > sslopt |= SSL_OP_NO_TLSv1_2; > in tls_ctx_set_options. > > With this (and the context initialized to SSL_v23_*_method, so we > negotiate), the tunnel comes up. > Without it, the tunnel does not come up. > > So it is the use of 1.2 that is the issue, not how it is selected.
Thinking through this, while cycling home from $paidwork, I remembered
something I saw when debugging something similar ("if I enable TLS1.2,
things explode") last time.
From Perl's IO::Socket::SSL:
# older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
# http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
# http://guest:[email protected]/Ticket/Display.html?id=2771
# Debian works around this by disabling TLSv12 on the client side
# Chrome and IE11 use TLSv12 but use only a few ciphers, so that packet
# stays small enough
# The following list is taken from IE11, except that we don't do RC4-MD5,
# RC4-SHA is already bad enough. Also, we have a different sort order
# compared to IE11, because we put ciphers supporting forward secrecy on top
now - does that sound like it could be the problem? The initial handshake
packet "under some conditions" (like: the local OpenSSL build having
more available ciphers, depending on how it was built) being too big,
causing "surprises"?
(This question is more geared towards James, Arne and Steffan :-) )
Timothe, on your failing setup, could you try putting some variations of
"--tls-cipher" in your openvpn.conf? I'm not really sure I understand
the variants, but "openvpn --show-tls" suggests that some of these might
work
tls-cipher AES128-SHA
tls-cipher DHE-RSA-AES256-SHA
what does "openvpn --tls-cipher DEFAULT --show-tls" list on your systems
(or, phrased differently, if you have a system that does *not* fail on
TLS 1.2, does it show a shorter list)?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
pgpntZEnGLiV3.pgp
Description: PGP signature
