Opened 2 years ago

Last modified 2 years ago

#1114 new Bug / Defect

iOS v3 App TLS Errors on New Installs Only

Reported by: ciacco22 Owned by: yuriy
Priority: major Milestone:
Component: OpenVPN Connect Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: OpenVPN Connect for iOS v3.0.1
Cc:

Description

Hello,

I've posted the information in the forum, not realizing I can report the bug - https://forums.openvpn.net/viewtopic.php?f=36&t=27068

With the upgrade of OpenVPN Connect to v3.0.1.(770), I've found that I can only connect on iPhones that upgraded the app (after reinstalling the config). When installing the app on an iPhone that did not have it previously installed, the app fails with the below TLS Error.

When I received this error on the old iOS app, I successfully fixed it by checking the AES-CBC cipher algorithm setting.

I've verified that the settings match between the freshly installed iOS app and the upgraded iOS app.

Server Config TLS Settings:

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
cipher AES-256-CBC

Client Config TLS Settings:

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
cipher AES-256-CBC

Failed Connection Server Log:

TLS: Initial packet from [AF_INET]X.X.X.X:42529, sid=c93dd086 c1f6f25f
TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

Failed Connection Client Log:

----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Sep  4 2018 09:41:09

Frame=512/2048/512 mssfix-ctrl=1250

UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [user] [nobody]
7 [group] [nogroup]
8 [persist-key]
9 [persist-tun]
11 [tls-cipher] [TLS-DHE-RSA-WITH-AES-256-CBC-SHA]
15 [verb] [3]
18 [auth-nocache]

EVENT: RESOLVE
Contacting [X.X.X.X]:PORT/UDP via UDP
EVENT: WAIT
Connecting to [domain]:PORT (X.X.X.X) via UDPv4
EVENT: CONNECTING
Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
Creds: StaticChallenge

Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.1-770
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_LZO_SWAP=1
IV_LZ4=1
IV_LZ4v2=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1

EVENT: DISCONNECTED

Raw stats on disconnect:
  BYTES_IN : 98
  BYTES_OUT : 6260
  PACKETS_IN : 1
  PACKETS_OUT : 22

Performance stats on disconnect:
  CPU usage (microseconds): 76332
  Network bytes per CPU second: 83294
  Tunnel bytes per CPU second: 0

Additionally, here are the logs for the iOS app and successful connection, where the app was previously installed and upgraded through the app store.

Successful Connection Server Log:

TLS: Initial packet from [AF_INET]X.X.X.X:46391, sid=dafac842 38ac4828
VERIFY OK: depth=1, C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, name=Certificate Authority, emailAddress=email
VERIFY OK: depth=0, C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain, name=DOMAIN Client Cert, emailAddress=email
peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.1-770
peer info: IV_VER=3.2
peer info: IV_PLAT=ios
peer info: IV_LZO=1
peer info: IV_LZO_SWAP=1
peer info: IV_LZ4=1
peer info: IV_COMP_STUB=1
PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
TLS: Username/Password authentication succeeded for username 'username'
Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
[domain] Peer Connection Initiated with [AF_INET]X.X.X.X:46391
domain/X.X.X.X:46391 MULTI_sva: pool returned IPv4=X.X.X.X, IPv6=(Not enabled)
domain/X.X.X.X:46391 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
domain/X.X.X.X:46391 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_7d8594863b0dec8f3ffcd46312862a90.tmp
domain/X.X.X.X:46391 MULTI: Learn: X.X.X.X -> domain/X.X.X.X:46391
domain/X.X.X.X:46391 MULTI: primary virtual IP for domain/X.X.X.X:46391: X.X.X.X
domain/X.X.X.X:46391 PUSH: Received control message: 'PUSH_REQUEST'
domain/X.X.X.X:46391 SENT CONTROL [domain]: 'PUSH_REPLY,route X.X.X.X 255.255.0.0,route X.X.X.X 255.255.0.0,dhcp-option DNS X.X.X.X,dhcp-option DNS X.X.X.X,dhcp-option DNS X.X.X.X,compress lz4-v2,route X.X.X.X,topology net30,ping 10,ping-restart 120,ifconfig X.X.X.X X.X.X.X' (status=1)
domain/X.X.X.X:46391 SIGTERM[soft,remote-exit] received, client-instance exiting
PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_DISCONNECT status=0
MANAGEMENT: Client connected from [AF_INET]X.X.X.X:PORT

Successful Connection Client Log:

----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Sep  4 2018 09:41:09

Frame=512/2048/512 mssfix-ctrl=1250

UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [user] [nobody]
7 [group] [nogroup]
8 [persist-key]
9 [persist-tun]
11 [tls-cipher] [TLS-DHE-RSA-WITH-AES-256-CBC-SHA]
15 [verb] [3]
18 [auth-nocache]

EVENT: RESOLVE
Contacting [X.X.X.X]:PORT/UDP via UDP
EVENT: WAIT
Connecting to [domain]:PORT (X.X.X.X) via UDPv4
EVENT: CONNECTING
Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
Creds: StaticChallenge
Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.1-770
IV_VER=3.2
IV_PLAT=ios
IV_LZO=1
IV_LZO_SWAP=1
IV_LZ4=1
IV_COMP_STUB=1

VERIFY OK : depth=1
cert. version    : X
serial number    : XX:XX:XX:XX:XX:XX:XX:XX
issuer name      : C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, ??=Certificate Authority, emailAddress=email
subject name      : C=US, ST=Illinois, L=Chicago, O=Comany, OU=DOMAIN, CN=domain.com, ??=Certificate Authority, emailAddress=email
issued  on        : 2018-06-27 16:51:02
expires on        : 2028-06-24 16:51:02
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true


VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, ??=DOMAIN Certificate Authority, emailAddress=email
subject name      : C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, ??=DOMAIN Server Cert, emailAddress=email
issued  on        : 2018-06-27 16:51:03
expires on        : 2028-06-24 16:51:03
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : domain.com
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
Session is ACTIVE
EVENT: GET_CONFIG
Sending PUSH_REQUEST to server...

OPTIONS:
0 [route] [X.X.X.X] [X.X.X.X]
1 [route] [X.X.X.X] [X.X.X.X]
2 [dhcp-option] [DNS] [X.X.X.X]
3 [dhcp-option] [DNS] [X.X.X.X]
4 [dhcp-option] [DNS] [X.X.X.X]
5 [compress] [lz4-v2]
6 [route] [X.X.X.X]
7 [topology] [net30]
8 [ping] [10]
9 [ping-restart] [120]
10 [ifconfig] [X.X.X.X] [X.X.X.X]


PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA512
  compress: LZ4v2
  peer ID: -1

EVENT: ASSIGN_IP
NIP: preparing TUN network settings
NIP: init TUN network settings with endpoint: X.X.X.X
NIP: adding IPv4 address to network settings X.X.X.X/255.255.255.252
NIP: adding (included) IPv4 route X.X.X.X/30
NIP: adding (included) IPv4 route X.X.X.X/16
NIP: adding (included) IPv4 route X.X.X.X/16
NIP: adding (included) IPv4 route X.X.X.X/32
NIP: adding DNS X.X.X.X
NIP: adding DNS X.X.X.X
NIP: adding DNS X.X.X.X
NIP: adding match domain ALL
NIP: adding DNS specific routes:
NIP: adding (included) IPv4 route X.X.X.X/32
NIP: adding (included) IPv4 route X.X.X.X/32
NIP: adding (included) IPv4 route X.X.X.X/32
Connected via NetworkExtensionTUN
LZ4v2 init asym=0
EVENT: CONNECTED username@domain:PORT (X.X.X.X) via /UDPv4 on NetworkExtensionTUN/X.X.X.X/ gw=[/]

Change History (2)

comment:1 Changed 2 years ago by tincantech

cc

comment:2 Changed 2 years ago by ciacco22

Looking at this some more, I updated my TLS cipher according to https://community.openvpn.net/openvpn/wiki/Hardening and am now able to connect.

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

I commented on the forum post that I linked at the top of the ticket as well.

Note: See TracTickets for help on using tickets.