Opened 6 years ago
Closed 16 months ago
#1114 closed Bug / Defect (wontfix)
iOS v3 App TLS Errors on New Installs Only
| Reported by: | ciacco22 | Owned by: | OpenVPN Inc. |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | OpenVPN Connect | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | OpenVPN Connect for iOS v3.0.1 |
| Cc: |
Description
Hello,
I've posted the information in the forum, not realizing I can report the bug - https://forums.openvpn.net/viewtopic.php?f=36&t=27068
With the upgrade of OpenVPN Connect to v3.0.1.(770), I've found that I can only connect on iPhones that upgraded the app (after reinstalling the config). When installing the app on an iPhone that did not have it previously installed, the app fails with the below TLS Error.
When I received this error on the old iOS app, I successfully fixed it by checking the AES-CBC cipher algorithm setting.
I've verified that the settings match between the freshly installed iOS app and the upgraded iOS app.
Server Config TLS Settings:
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA cipher AES-256-CBC
Client Config TLS Settings:
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA cipher AES-256-CBC
Failed Connection Server Log:
TLS: Initial packet from [AF_INET]X.X.X.X:42529, sid=c93dd086 c1f6f25f TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive. OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher TLS_ERROR: BIO read tls_read_plaintext error TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed
Failed Connection Client Log:
----- OpenVPN Start ----- OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Sep 4 2018 09:41:09 Frame=512/2048/512 mssfix-ctrl=1250 UNUSED OPTIONS 4 [resolv-retry] [infinite] 5 [nobind] 6 [user] [nobody] 7 [group] [nogroup] 8 [persist-key] 9 [persist-tun] 11 [tls-cipher] [TLS-DHE-RSA-WITH-AES-256-CBC-SHA] 15 [verb] [3] 18 [auth-nocache] EVENT: RESOLVE Contacting [X.X.X.X]:PORT/UDP via UDP EVENT: WAIT Connecting to [domain]:PORT (X.X.X.X) via UDPv4 EVENT: CONNECTING Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client Creds: StaticChallenge Peer Info: IV_GUI_VER=net.openvpn.connect.ios 3.0.1-770 IV_VER=3.2 IV_PLAT=ios IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_LZO=1 IV_LZO_SWAP=1 IV_LZ4=1 IV_LZ4v2=1 IV_COMP_STUB=1 IV_COMP_STUBv2=1 EVENT: DISCONNECTED Raw stats on disconnect: BYTES_IN : 98 BYTES_OUT : 6260 PACKETS_IN : 1 PACKETS_OUT : 22 Performance stats on disconnect: CPU usage (microseconds): 76332 Network bytes per CPU second: 83294 Tunnel bytes per CPU second: 0
Additionally, here are the logs for the iOS app and successful connection, where the app was previously installed and upgraded through the app store.
Successful Connection Server Log:
TLS: Initial packet from [AF_INET]X.X.X.X:46391, sid=dafac842 38ac4828 VERIFY OK: depth=1, C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, name=Certificate Authority, emailAddress=email VERIFY OK: depth=0, C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain, name=DOMAIN Client Cert, emailAddress=email peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.1-770 peer info: IV_VER=3.2 peer info: IV_PLAT=ios peer info: IV_LZO=1 peer info: IV_LZO_SWAP=1 peer info: IV_LZ4=1 peer info: IV_COMP_STUB=1 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 TLS: Username/Password authentication succeeded for username 'username' Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA [domain] Peer Connection Initiated with [AF_INET]X.X.X.X:46391 domain/X.X.X.X:46391 MULTI_sva: pool returned IPv4=X.X.X.X, IPv6=(Not enabled) domain/X.X.X.X:46391 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0 domain/X.X.X.X:46391 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_7d8594863b0dec8f3ffcd46312862a90.tmp domain/X.X.X.X:46391 MULTI: Learn: X.X.X.X -> domain/X.X.X.X:46391 domain/X.X.X.X:46391 MULTI: primary virtual IP for domain/X.X.X.X:46391: X.X.X.X domain/X.X.X.X:46391 PUSH: Received control message: 'PUSH_REQUEST' domain/X.X.X.X:46391 SENT CONTROL [domain]: 'PUSH_REPLY,route X.X.X.X 255.255.0.0,route X.X.X.X 255.255.0.0,dhcp-option DNS X.X.X.X,dhcp-option DNS X.X.X.X,dhcp-option DNS X.X.X.X,compress lz4-v2,route X.X.X.X,topology net30,ping 10,ping-restart 120,ifconfig X.X.X.X X.X.X.X' (status=1) domain/X.X.X.X:46391 SIGTERM[soft,remote-exit] received, client-instance exiting PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_DISCONNECT status=0 MANAGEMENT: Client connected from [AF_INET]X.X.X.X:PORT
Successful Connection Client Log:
----- OpenVPN Start ----- OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Sep 4 2018 09:41:09 Frame=512/2048/512 mssfix-ctrl=1250 UNUSED OPTIONS 4 [resolv-retry] [infinite] 5 [nobind] 6 [user] [nobody] 7 [group] [nogroup] 8 [persist-key] 9 [persist-tun] 11 [tls-cipher] [TLS-DHE-RSA-WITH-AES-256-CBC-SHA] 15 [verb] [3] 18 [auth-nocache] EVENT: RESOLVE Contacting [X.X.X.X]:PORT/UDP via UDP EVENT: WAIT Connecting to [domain]:PORT (X.X.X.X) via UDPv4 EVENT: CONNECTING Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client Creds: StaticChallenge Peer Info: IV_GUI_VER=net.openvpn.connect.ios 3.0.1-770 IV_VER=3.2 IV_PLAT=ios IV_LZO=1 IV_LZO_SWAP=1 IV_LZ4=1 IV_COMP_STUB=1 VERIFY OK : depth=1 cert. version : X serial number : XX:XX:XX:XX:XX:XX:XX:XX issuer name : C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, ??=Certificate Authority, emailAddress=email subject name : C=US, ST=Illinois, L=Chicago, O=Comany, OU=DOMAIN, CN=domain.com, ??=Certificate Authority, emailAddress=email issued on : 2018-06-27 16:51:02 expires on : 2028-06-24 16:51:02 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true VERIFY OK : depth=0 cert. version : 3 serial number : 01 issuer name : C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, ??=DOMAIN Certificate Authority, emailAddress=email subject name : C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, ??=DOMAIN Server Cert, emailAddress=email issued on : 2018-06-27 16:51:03 expires on : 2028-06-24 16:51:03 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : domain.com cert. type : SSL Server key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-CBC-SHA Session is ACTIVE EVENT: GET_CONFIG Sending PUSH_REQUEST to server... OPTIONS: 0 [route] [X.X.X.X] [X.X.X.X] 1 [route] [X.X.X.X] [X.X.X.X] 2 [dhcp-option] [DNS] [X.X.X.X] 3 [dhcp-option] [DNS] [X.X.X.X] 4 [dhcp-option] [DNS] [X.X.X.X] 5 [compress] [lz4-v2] 6 [route] [X.X.X.X] 7 [topology] [net30] 8 [ping] [10] 9 [ping-restart] [120] 10 [ifconfig] [X.X.X.X] [X.X.X.X] PROTOCOL OPTIONS: cipher: AES-256-CBC digest: SHA512 compress: LZ4v2 peer ID: -1 EVENT: ASSIGN_IP NIP: preparing TUN network settings NIP: init TUN network settings with endpoint: X.X.X.X NIP: adding IPv4 address to network settings X.X.X.X/255.255.255.252 NIP: adding (included) IPv4 route X.X.X.X/30 NIP: adding (included) IPv4 route X.X.X.X/16 NIP: adding (included) IPv4 route X.X.X.X/16 NIP: adding (included) IPv4 route X.X.X.X/32 NIP: adding DNS X.X.X.X NIP: adding DNS X.X.X.X NIP: adding DNS X.X.X.X NIP: adding match domain ALL NIP: adding DNS specific routes: NIP: adding (included) IPv4 route X.X.X.X/32 NIP: adding (included) IPv4 route X.X.X.X/32 NIP: adding (included) IPv4 route X.X.X.X/32 Connected via NetworkExtensionTUN LZ4v2 init asym=0 EVENT: CONNECTED username@domain:PORT (X.X.X.X) via /UDPv4 on NetworkExtensionTUN/X.X.X.X/ gw=[/]
Change History (5)
comment:1 Changed 6 years ago by
comment:2 Changed 6 years ago by
Looking at this some more, I updated my TLS cipher according to https://community.openvpn.net/openvpn/wiki/Hardening and am now able to connect.
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
I commented on the forum post that I linked at the top of the ticket as well.
comment:3 Changed 3 years ago by
| Owner: | changed from yuriy to denys |
|---|---|
| Status: | new → assigned |
comment:4 Changed 3 years ago by
| Owner: | changed from denys to OpenVPN Inc. |
|---|
comment:5 Changed 16 months ago by
| Resolution: | → wontfix |
|---|---|
| Status: | assigned → closed |
OpenVPN Inc does not want to receive any feedback for the "Connect"
OpenVPN clients via the community bug trackers (here and in GH issues).
Please resubmit - if still relevant - via https://support.openvpn.net/
Note: See
TracTickets for help on using
tickets.
cc