Thanks for the reply. That fixed my problem. However, I have another problem.
I can't connect using the 'mute-replay-warnings' setting. I have tried it in
the server & client config files and just the client config file and the client
won't connect. Actually, it looks like it doesn't even get started. The
screen is blank with no text at all. Can this be fixed or is it some kind of
bug?
From: stef...@karger.me
Date: Fri, 17 Oct 2014 09:33:56 +0200
Subject: Re: [Openvpn-users] Help me figure out how to use tls-cipher
To: bird_...@hotmail.com
CC: openvpn-users@lists.sourceforge.net
Hi,
On Fri, Oct 17, 2014 at 5:13 AM, jack seth <bird_...@hotmail.com> wrote:
I have the following command in both the server and client configs 'tls-cipher
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'. The server starts up fine with this so I
think the server side is good. Both are running Openvpn 2.3.4. Server is
linux on my router, client is on a Windows 7 Ultimate laptop. Running the
--show-tls command on the server and the client show the cipher as available.
My client config connects fine with the 'tls-cipher' command commented out.
Here is a portion of the client log:
Thu Oct 16 22:10:09 2014 TLS_ERROR: BIO read tls_read_plaintext error:
error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
Thu Oct 16 22:10:09 2014 TLS Error: TLS object -> incoming plaintext read error
Thu Oct 16 22:10:09 2014 TLS Error: TLS handshake failed
SHA256 digests are only supported by TLSv1.2, whereas OpenVPN by default only
does TLSv1.0 (because quite some corner cases break when enabling 1.2,
work-in-progress). To enable TLSv1.2, add 'tls-version-min 1.0' to both server
and client config file.
On a final note, tls-cipher is an expert feature for people who really know
what their doing and how OpenSSL reacts to specifying tls ciphers. Not
properly understanding what it does might result in a *less* secure connection.
Note that OpenVPN does not 'fall back' to insecure TLS/SSL versions when the
connection fails, like browser do, and thus is not vulnerable to typical
TLS/SSL fallback attacks. Furthermore, protecting your TLS handshake using
tls-auth (see man page) protects you against attacks on the TLS implementation.
Given these facts, is is almost always wiser to let OpenSSL decide on the tls
cipher to use.
-Steffan
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
