Re: [Openvpn-users] Help me figure out how to use tls-cipher

Fri, 17 Oct 2014 01:06:07 -0700 

Hi,

On Fri, Oct 17, 2014 at 5:13 AM, jack seth <bird_...@hotmail.com> wrote:

> I have the following command in both the server and client configs
> 'tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'.  The server starts up
> fine with this so I think the server side is good.  Both are running
> Openvpn 2.3.4.  Server is linux on my router, client is on a Windows 7
> Ultimate laptop.  Running the --show-tls command on the server and the
> client show the cipher as available.  My client config connects fine with
> the 'tls-cipher' command commented out.  Here is a portion of the client
> log:
>
> Thu Oct 16 22:10:09 2014 TLS_ERROR: BIO read tls_read_plaintext error:
> error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
> Thu Oct 16 22:10:09 2014 TLS Error: TLS object -> incoming plaintext read
> error
> Thu Oct 16 22:10:09 2014 TLS Error: TLS handshake failed
>

SHA256 digests are only supported by TLSv1.2, whereas OpenVPN by default
only does TLSv1.0 (because quite some corner cases break when enabling 1.2,
work-in-progress). To enable TLSv1.2, add 'tls-version-min 1.0' to both
server and client config file.

On a final note, tls-cipher is an expert feature for people who really know
what their doing and how OpenSSL reacts to specifying tls ciphers. Not
properly understanding what it does might result in a *less* secure
connection. Note that OpenVPN does not 'fall back' to insecure TLS/SSL
versions when the connection fails, like browser do, and thus is not
vulnerable to typical TLS/SSL fallback attacks. Furthermore, protecting
your TLS handshake using tls-auth (see man page) protects you against
attacks on the TLS implementation. Given these facts, is is almost always
wiser to let OpenSSL decide on the tls cipher to use.

-Steffan

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to