Bug#1012075: openvpn: OpenVPN - Debian/SID release '2.6.0~git20220518+dco-1' breaks connection buildup
I am also suffering from this issue with 2.6.0~git20220518+dco-2 (I have added the parameters as advised by Bernhard) (the error is the same for both TCP and UDP): gris@tulip: ~% sudo openvpn --cipher AES-128-CBC --data-ciphers AES-128-CBC --config /root/premisg4.vpnjantit.com/premisg4.vpnjantit-tcp-8080.ovpn 2022-07-24 00:50:08 Cannot find ovpn_dco netlink component: Object not found 2022-07-24 00:50:08 Note: Kernel support for ovpn-dco missing, disabling data channel offload. 2022-07-24 00:50:08 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 30 2022 2022-07-24 00:50:08 library versions: OpenSSL 3.0.4 21 Jun 2022, LZO 2.10 2022-07-24 00:50:08 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 2022-07-24 00:50:08 NOTE: --fast-io is disabled since we are not using UDP 2022-07-24 00:50:08 TCP/UDP: Preserving recently used remote address: [AF_INET]188.166.212.168:8080 2022-07-24 00:50:08 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-07-24 00:50:08 Attempting to establish TCP connection with [AF_INET]188.166.212.168:8080 2022-07-24 00:50:09 TCP connection established with [AF_INET]188.166.212.168:8080 2022-07-24 00:50:09 Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92) 2022-07-24 00:50:09 TCP_CLIENT link local: (not bound) 2022-07-24 00:50:09 TCP_CLIENT link remote: [AF_INET]188.166.212.168:8080 2022-07-24 00:50:09 TLS: Initial packet from [AF_INET]188.166.212.168:8080, sid=04c70371 12da42fb 2022-07-24 00:50:09 VERIFY OK: depth=0, CN=premi4.vpnjantit.com, O=premi4.vpnjantit.com, OU=premi4.vpnjantit.com, C=US 2022-07-24 00:50:09 OpenSSL: error:0A0C0103:SSL routines::internal error 2022-07-24 00:50:09 TLS_ERROR: BIO read tls_read_plaintext error 2022-07-24 00:50:09 TLS Error: TLS object -> incoming plaintext read error 2022-07-24 00:50:09 TLS Error: TLS handshake failed 2022-07-24 00:50:09 Fatal TLS error (check_tls_errors_co), restarting 2022-07-24 00:50:09 SIGUSR1[soft,tls-error] received, process restarting 2022-07-24 00:50:09 Restart pause, 5 second(s) ^C2022-07-24 00:50:11 SIGINT[hard,init_instance] received, process exiting However this unfortunately very deprecated setting still works just fine with 2.5.1-3. I also reported TLS 1.0 to the service provider On Sun, 29 May 2022 20:19:14 +0200 =?utf-8?q?Henrik_Sch=C3=B6pel?= wrote: > Package: openvpn > Version: 2.5.6-1 > Severity: important > > Dear Debian OpenVPN Maintenaner, > > This is a pretty serious bug as it breaks the usage of VPN. > > The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1' > won't connect due to TLS errors during connection attempts. > Only downgrade to version '2.5.6-1' solves the issue. > > I had to blur some characters like IP adresses. Destination is Sophos UTM > Appliances. > > I attached a textfile which compare both outputs of each release. > > Best regards, > Henrik > > > -- System Information: > Debian Release: bookworm/sid > APT prefers unstable > APT policy: (500, 'unstable'), (500, 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.17.0-3-amd64 (SMP w/8 CPU threads; PREEMPT) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not > set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages openvpn depends on: > ii debconf [debconf-2.0] 1.5.79 > ii iproute2 5.17.0-2 > ii libc6 2.33-7 > ii liblz4-1 1.9.3-2 > ii liblzo2-2 2.10-2 > ii libpam0g 1.4.0-13 > ii libpkcs11-helper1 1.28-1+b1 > ii libssl1.1 1.1.1o-1 > ii libsystemd0251.1-1 > ii lsb-base 11.2 > > Versions of packages openvpn recommends: > ii easy-rsa 3.0.8-1 > > Versions of packages openvpn suggests: > ii openssl 3.0.3-5 > pn openvpn-systemd-resolved > pn resolvconf > > -- debconf information: > openvpn/create_tun: false -- Best regards, Mikhail Arefiev Yandex NOC Software Development m-aref...@yandex-team.ru +7 909 160 8668
Bug#1012075: openvpn: OpenVPN - Debian/SID release '2.6.0~git20220518+dco-1' breaks connection buildup
Hello Bernhard, Sorry for my late reply. The XG550 is running Firmware "SFOS 17.5.14 MR-14-1". It fall out of support end of 2021. I was in discussion with our network guys to upgrade the Firmware to latest version. As this Sophos XGs are running in HA Mode and cost 40k each we can't do this without proper testing etc...So we plan to replace them with brand new Fortinets in the IDC. Sophos Tech support couldn't provide us any hint if this could be fixed in this 17.5 FW Release as it's not under support anymore. I couldn't see any information regarding new TLS encryption functions in 18.x FW Release but i guess they fixed it. I could reply in 2-3 months once we have the Fortinets in place and proberly configured. One thing is very strange here. The Windows OpenVPN client in version 2.6 works fine compare to the Linux client. So there might be something else in the client source code ? I guess we can close this ticket for the moment ? Best regards, Henrik On Mon, 30 May 2022 11:18:41 +0200 Bernhard Schmidt wrote: > Control: tags -1 moreinfo > > Hi Henrik, > > > The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1' > > won't connect due to TLS errors during connection attempts. > > Only downgrade to version '2.5.6-1' solves the issue. > > Have you followed up on the multiple warnings and notes from the log? > > 2022-05-29 19:07:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but > missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20- POLY1305). > OpenVPN ignores --cipher for cipher negotiations. > > 2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically > indicates that client and server have no common TLS version enabled. > This can be caused by mismatched tls-version-min and tls-version-max > options on client and server. If your OpenVPN client is between v2.3.6 > and v2.3.2 try adding tls-version-min 1.0 to the client configuration to > use TLS 1.0+ instead of TLS 1.0 only > 2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported > protocol > > Please also check up on all items in > https://github.com/OpenVPN/openvpn/blob/dco/Changes.rst . > > From your working log > > 2022-05-29 19:14:10 Control Channel: TLSv1, cipher SSLv3 > DHE-RSA-AES256-SHA, peer certificate: 2048 bit RSA, signature: RSA- SHA256 > > TLSv1 means TLSv1.0 means very very deprecated. > > > > > I had to blur some characters like IP adresses. Destination is Sophos UTM > > Appliances. > > Is that Sophos up to date? > > Bernhard > >
Bug#1012075: openvpn: OpenVPN - Debian/SID release '2.6.0~git20220518+dco-1' breaks connection buildup
Control: tags -1 moreinfo Hi Henrik, The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1' won't connect due to TLS errors during connection attempts. Only downgrade to version '2.5.6-1' solves the issue. Have you followed up on the multiple warnings and notes from the log? 2022-05-29 19:07:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only 2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported protocol Please also check up on all items in https://github.com/OpenVPN/openvpn/blob/dco/Changes.rst . From your working log 2022-05-29 19:14:10 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, peer certificate: 2048 bit RSA, signature: RSA-SHA256 TLSv1 means TLSv1.0 means very very deprecated. I had to blur some characters like IP adresses. Destination is Sophos UTM Appliances. Is that Sophos up to date? Bernhard
Bug#1012075: openvpn: OpenVPN - Debian/SID release '2.6.0~git20220518+dco-1' breaks connection buildup
Package: openvpn Version: 2.5.6-1 Severity: important Dear Debian OpenVPN Maintenaner, This is a pretty serious bug as it breaks the usage of VPN. The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1' won't connect due to TLS errors during connection attempts. Only downgrade to version '2.5.6-1' solves the issue. I had to blur some characters like IP adresses. Destination is Sophos UTM Appliances. I attached a textfile which compare both outputs of each release. Best regards, Henrik -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-3-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.79 ii iproute2 5.17.0-2 ii libc6 2.33-7 ii liblz4-1 1.9.3-2 ii liblzo2-2 2.10-2 ii libpam0g 1.4.0-13 ii libpkcs11-helper1 1.28-1+b1 ii libssl1.1 1.1.1o-1 ii libsystemd0251.1-1 ii lsb-base 11.2 Versions of packages openvpn recommends: ii easy-rsa 3.0.8-1 Versions of packages openvpn suggests: ii openssl 3.0.3-5 pn openvpn-systemd-resolved pn resolvconf -- debconf information: openvpn/create_tun: false Output latest OpenVPN Debian/SID release '2.6.0~git20220518+dco-1' in repo - This version doesn't connect to destination ! root@debian:/home/henrik/Downloads# openvpn hschoepel@ssl_vpn_config.ovpn 2022-05-29 19:07:47 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2022-05-29 19:07:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 2022-05-29 19:07:47 Cannot find ovpn_dco netlink component: Object not found 2022-05-29 19:07:47 Note: Kernel support for ovpn-dco missing, disabling data channel offload. 2022-05-29 19:07:47 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 20 2022 2022-05-29 19:07:47 library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10 Enter Auth Username: hschoepel Enter Auth Password: ** 2022-05-29 19:08:08 TCP/UDP: Preserving recently used remote address: [AF_INET]*:8443 2022-05-29 19:08:08 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-05-29 19:08:08 Attempting to establish TCP connection with [AF_INET]*:8443 2022-05-29 19:08:08 TCP connection established with [AF_INET]*:8443 2022-05-29 19:08:08 Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92) 2022-05-29 19:08:08 TCP_CLIENT link local: (not bound) 2022-05-29 19:08:08 TCP_CLIENT link remote: [AF_INET]*:8443 2022-05-29 19:08:08 TLS: Initial packet from [AF_INET]*.35:8443, sid=2a3742bf 758117bf 2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only 2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported protocol 2022-05-29 19:08:08 TLS_ERROR: BIO read tls_read_plaintext error 2022-05-29 19:08:08 TLS Error: TLS object -> incoming plaintext read error 2022-05-29 19:08:08 TLS Error: TLS handshake failed 2022-05-29 19:08:08 Fatal TLS error (check_tls_errors_co), restarting 2022-05-29 19:08:08 SIGUSR1[soft,tls-error] received, process restarting 2022-05-29 19:08:08 Restart pause, 5 second(s) 2022-05-29 19:08:13 TCP/UDP: Preserving recently used remote address: [AF_INET]*:8443 2022-05-29 19:08:13 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-05-29 19:08:13 Attempting to establish TCP connection with [AF_INET]*:8443 2022-05-29 19:08:13 TCP connection established with [AF_INET]*:8443 2022-05-29 19:08:13 Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92) 2022-05-29 19:08:13 TCP_CLIENT link local: (not bound) 2022-05-29 19:08:13 TCP_CLIENT link remote: [AF_INET]*:8443 2022-05-29 19:08:13 TLS: Initial packet from [AF_INET]*:8443, sid=eceadd8a 6679da5c 2022-05-29 19:08:13 TLS error: