Opened 10 years ago
Closed 10 years ago
#401 closed Bug / Defect (wontfix)
OpenVPN 2.3.4 client fails when server uses tls-version-minimum 1.2 when 2.3.3 works fine
| Reported by: | truckingjobs | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Generic / unclassified | Version: | OpenVPN 2.3.4 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | tls |
| Cc: |
Description
A 2.3.4 OpenVPN client fails to connect to a server configured with tls-version-min 1.2. A 2.3.3 client connects fine.
Server is configured with:
tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
Server log:
TLS: new session incoming connection from [AF_INET] TLS_ERROR: BIO read tls_read_plaintext error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed
Note: See
TracTickets for help on using
tickets.
The TLS 1.0+ behaviour in 2.3.3 caused some configurations to no longer work that for all other 2.3.x releases. Therefore 2.3.4 uses TLS 1.0 only again. To get the behaviour of 2.3.3 in OpenVPN 2.3.4 use tls-version-min 1.0.
The next major release OpenVPN 2.4 will probably default to TLS 1.0+