Opened 2 years ago

Closed 18 months ago

#1444 closed Bug / Defect (worksforme)

Fatal TLS error

Reported by: lauri.laanenurm Owned by:
Priority: critical Milestone:
Component: Certificates Version: OpenVPN 2.5.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: openssl3, legacy, sha1


Linux distribution: Ubuntu 22.04 Jammy

OpenVPN client version:
OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 18 2021
library versions: OpenSSL 3.0.1 14 Dec 2021, LZO 2.10

The Client profile uses:
cipher AES-128-CBC
auth SHA256

When trying to connect to Sophos XG OpenVPN server, I get the following errors and I am unable to get connected:

2022-01-26 11:38:21 OpenSSL: error:0A0C0103:SSL routines::internal error
2022-01-26 11:38:21 TLS_ERROR: BIO read tls_read_plaintext error
2022-01-26 11:38:21 TLS Error: TLS object -> incoming plaintext read error
2022-01-26 11:38:21 TLS Error: TLS handshake failed
2022-01-26 11:38:21 Fatal TLS error (check_tls_errors_co), restarting
2022-01-26 11:38:21 SIGUSR1[soft,tls-error] received, process restarting
2022-01-26 11:38:21 Restart pause, 5 second(s)
2022-01-26 11:38:22 SIGINT[hard,init_instance] received, process exiting

Change History (5)

comment:1 Changed 2 years ago by tct

Which version of Openvpn is your server using ?

comment:2 Changed 2 years ago by becm

Closest match would indicate a TLS 1.1 connection is used and OpenSSL 3.x wants special settings.
May also be similar tigtening of restrictions I'm not aware of (Cert signature schemes as in OpenSSL 1.1).
You could test OpenVPN client config with

tls-cipher "DEFAULT:@SECLEVEL=0"

Not recommended for long-term operation.
Try to somehow use TLS 1.2 and/or achieve a setup where this setting is no longer required.

comment:3 Changed 2 years ago by Gert Döring

There is a bit of information lacking here, but it should be noted that OpenSSL 3.0.1 disallows a lot of "insecure" stuff by default - and what tends to bite people quite often is SHA1 certificates. The @SECLEVEL=0 trick suggested by becm should help with this.

(I do wonder if 2.5 + 3.0.1 does work at all if BF-CBC is needed, as there is no code in 2.5 to load the "legacy provider" that is needed for BF-CBC... but if the server is sufficiently recent, it would negotiate AES-256-GCM anyway, thus making this a non-issue)

comment:4 Changed 2 years ago by Gert Döring

Update on this: 2.5.7 - to be released next Tuesday - will contain better support for OpenSSL 3.0.x, and we try to bring that into Ubuntu 22.04 (or at least the relevant patches).

It will still need extra options to accept SHA1 hashes (--tls-cert-profile insecure) or support old RC2/BF-CBC/... ciphers (--providers legacy default) - this is the way OpenSSL 3.0 went.

So, best way forward is to upgrade your CA to RSA256 and use AES-256-GCM ciphers everywhere...

(I do wonder why there is an 2.5.1 client in the original post... this is way older than what ubuntu 22 should be shipping)

comment:5 Changed 18 months ago by Gert Döring

Keywords: openssl3 legacy sha1 added
Resolution: worksforme
Status: newclosed

So, to summarize - for 2.5.x with OpenSSL 3.0.x, please do always use 2.5.8 or later - 2.5.1 is lacking the necessary knobs to a) display proper SSL error messages in these cases, and b) configure the workarounds needed.

For Ubuntu, they should have backported our 2.5.7/2.5.8 patches into their package by now.

I'm going to close this bug now, as there is nothing for us to do, with no feedback from the original author in 10+ months.

Note: See TracTickets for help on using tickets.