[Openvpn-users] openvpn-nl ciphersuite question

Fri, 22 Dec 2017 05:39:03 -0800 

I do know that openvpn-nl is basically a slightly changed version of
openvpn (mbed SSL & lots of insecure crypto removed).

Our server-side installation of stock-openvpn already uses:

cipher AES-256-CBC
auth SHA256

so I thought, we could simply replace openvpn with openvpn-nl.
I did that, restarted the server processes and alas, most clients could 
reconnect without a hitch.

Some clients, however couldn't connect to my server running openvpn-nl:

Dec 21 16:17:58 openvpn tcp[16182]: 87.173.x.y TLS_ERROR: read 
tls_read_plaintext error: SSL - The server has no ciphersuites in common with 
the client

I then matched those client IPs to their previous successful logins
and extracted their client versions:

% fgrep -f problemclients /var/log/daemon.log.1 |fgrep IV_VER |awk '{print 
$NF}' | sort | uniq -c | sort -n

      6 IV_VER=2.4.0
      9 IV_VER=2.3.5
     10 IV_VER=2.3.2
     10 IV_VER=2.3.6
     23 IV_VER=2.3.4

So it seems 2.3.2-2.3.6 and 2.4.0 can't agree to a ciphersuites in
the control channe..

Somewhere along the development of 2.3.x the ciphersuites for the
control channel must have changed. Where?

I created some stats using the current setup:

# xzfgrep "Control Channel:" /var/log/daemon.log* | awk -F"Control Channel: " 
'{print $2}' | sort | uniq -c | sort -n
      2 TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    114 TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 2048 bit key
    115 TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA 
   1617 TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
  17756 TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

-- 
Ralf Hildebrandt                   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.de        Campus Benjamin Franklin
https://www.charite.de             Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to