Bug#1012075: openvpn: OpenVPN - Debian/SID release '2.6.0~git20220518+dco-1' breaks connection buildup

2022-06-09 Thread Henrik Schöpel 
Hello Bernhard,

Sorry for my late reply.

The XG550 is running Firmware "SFOS 17.5.14 MR-14-1". It fall out of
support end of 2021. I was in discussion with our network guys to
upgrade the Firmware to latest version. As this Sophos XGs are running
in HA Mode and cost 40k each we can't do this without proper testing
etc...So we plan to replace them with brand new Fortinets in the IDC.
Sophos Tech support couldn't provide us any hint if this could be fixed
in this 17.5 FW Release as it's not under support anymore.

I couldn't see any information regarding new TLS encryption functions
in 18.x FW Release but i guess they fixed it. I could reply in 2-3
months once we have the Fortinets in place and proberly configured.

One thing is very strange here. The Windows OpenVPN client in version
2.6 works fine compare to the Linux client. So there might be something
else in the client source code ?

I guess we can close this ticket for the moment ?

Best regards,
Henrik


On Mon, 30 May 2022 11:18:41 +0200 Bernhard Schmidt 
wrote:
> Control: tags -1 moreinfo
> 
> Hi Henrik,
> 
> > The latest version of OpenVPN in Debian/SID repo
'2.6.0~git20220518+dco-1'
> > won't connect due to TLS errors during connection attempts.
> > Only downgrade to version '2.5.6-1' solves the issue.
> 
> Have you followed up on the multiple warnings and notes from the log?
> 
> 2022-05-29 19:07:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC'
but 
> missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-
POLY1305). 
> OpenVPN ignores --cipher for cipher negotiations.
> 
> 2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically 
> indicates that client and server have no common TLS version enabled. 
> This can be caused by mismatched tls-version-min and tls-version-max 
> options on client and server. If your OpenVPN client is between
v2.3.6 
> and v2.3.2 try adding tls-version-min 1.0 to the client configuration
to 
> use TLS 1.0+ instead of TLS 1.0 only
> 2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported
> protocol
> 
> Please also check up on all items in 
> https://github.com/OpenVPN/openvpn/blob/dco/Changes.rst .
> 
>  From your working log
> 
> 2022-05-29 19:14:10 Control Channel: TLSv1, cipher SSLv3 
> DHE-RSA-AES256-SHA, peer certificate: 2048 bit RSA, signature: RSA-
SHA256
> 
> TLSv1 means TLSv1.0 means very very deprecated.
> 
> > 
> > I had to blur some characters like IP adresses. Destination is
Sophos UTM
> > Appliances.
> 
> Is that Sophos up to date?
> 
> Bernhard
> 
>

Bug#1012075: openvpn: OpenVPN - Debian/SID release '2.6.0~git20220518+dco-1' breaks connection buildup

2022-05-29 Thread Henrik Schöpel 
Package: openvpn
Version: 2.5.6-1
Severity: important

Dear Debian OpenVPN Maintenaner,

This is a pretty serious bug as it breaks the usage of VPN.

The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1'
won't connect due to TLS errors during connection attempts.
Only downgrade to version '2.5.6-1' solves the issue.

I had to blur some characters like IP adresses. Destination is Sophos UTM
Appliances.

I attached a textfile which compare both outputs of each release.

Best regards,
Henrik


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.79
ii  iproute2   5.17.0-2
ii  libc6  2.33-7
ii  liblz4-1   1.9.3-2
ii  liblzo2-2  2.10-2
ii  libpam0g   1.4.0-13
ii  libpkcs11-helper1  1.28-1+b1
ii  libssl1.1  1.1.1o-1
ii  libsystemd0251.1-1
ii  lsb-base   11.2

Versions of packages openvpn recommends:
ii  easy-rsa  3.0.8-1

Versions of packages openvpn suggests:
ii  openssl   3.0.3-5
pn  openvpn-systemd-resolved  
pn  resolvconf

-- debconf information:
  openvpn/create_tun: false
Output latest OpenVPN Debian/SID release '2.6.0~git20220518+dco-1' in repo - 
This version doesn't connect to destination !


root@debian:/home/henrik/Downloads# openvpn hschoepel@ssl_vpn_config.ovpn
2022-05-29 19:07:47 WARNING: Compression for receiving enabled. Compression has 
been used in the past to break encryption. Sent packets are not compressed 
unless "allow-compression yes" is also set.
2022-05-29 19:07:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but 
missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN 
ignores --cipher for cipher negotiations. 
2022-05-29 19:07:47 Cannot find ovpn_dco netlink component: Object not found
2022-05-29 19:07:47 Note: Kernel support for ovpn-dco missing, disabling data 
channel offload.
2022-05-29 19:07:47 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] 
[LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 20 2022
2022-05-29 19:07:47 library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10
Enter Auth Username: hschoepel
🔐 Enter Auth Password: **  
2022-05-29 19:08:08 TCP/UDP: Preserving recently used remote address: 
[AF_INET]*:8443
2022-05-29 19:08:08 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-05-29 19:08:08 Attempting to establish TCP connection with 
[AF_INET]*:8443
2022-05-29 19:08:08 TCP connection established with [AF_INET]*:8443
2022-05-29 19:08:08 Note: enable extended error passing on TCP/UDP socket 
failed (IPV6_RECVERR): Protocol not available (errno=92)
2022-05-29 19:08:08 TCP_CLIENT link local: (not bound)
2022-05-29 19:08:08 TCP_CLIENT link remote: [AF_INET]*:8443
2022-05-29 19:08:08 TLS: Initial packet from [AF_INET]*.35:8443, 
sid=2a3742bf 758117bf
2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically indicates 
that client and server have no common TLS version enabled. This can be caused 
by mismatched tls-version-min and tls-version-max options on client and server. 
If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 
1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2022-05-29 19:08:08 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-29 19:08:08 TLS Error: TLS object -> incoming plaintext read error
2022-05-29 19:08:08 TLS Error: TLS handshake failed
2022-05-29 19:08:08 Fatal TLS error (check_tls_errors_co), restarting
2022-05-29 19:08:08 SIGUSR1[soft,tls-error] received, process restarting
2022-05-29 19:08:08 Restart pause, 5 second(s)
2022-05-29 19:08:13 TCP/UDP: Preserving recently used remote address: 
[AF_INET]*:8443
2022-05-29 19:08:13 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-05-29 19:08:13 Attempting to establish TCP connection with 
[AF_INET]*:8443
2022-05-29 19:08:13 TCP connection established with [AF_INET]*:8443
2022-05-29 19:08:13 Note: enable extended error passing on TCP/UDP socket 
failed (IPV6_RECVERR): Protocol not available (errno=92)
2022-05-29 19:08:13 TCP_CLIENT link local: (not bound)
2022-05-29 19:08:13 TCP_CLIENT link remote: [AF_INET]*:8443
2022-05-29 19:08:13 TLS: Initial packet from [AF_INET]*:8443, 
sid=eceadd8a 6679da5c
2022-05-29 19:08:13 TLS error: Uns