Opened 5 years ago

Closed 5 years ago

#401 closed Bug / Defect (wontfix)

OpenVPN 2.3.4 client fails when server uses tls-version-minimum 1.2 when 2.3.3 works fine

Reported by: truckingjobs Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: tls
Cc:

Description

A 2.3.4 OpenVPN client fails to connect to a server configured with tls-version-min 1.2. A 2.3.3 client connects fine.

Server is configured with:

tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Server log:

TLS: new session incoming connection from [AF_INET]
TLS_ERROR: BIO read tls_read_plaintext error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

Change History (1)

comment:1 Changed 5 years ago by plaisthos

Resolution: wontfix
Status: newclosed

The TLS 1.0+ behaviour in 2.3.3 caused some configurations to no longer work that for all other 2.3.x releases. Therefore 2.3.4 uses TLS 1.0 only again. To get the behaviour of 2.3.3 in OpenVPN 2.3.4 use tls-version-min 1.0.

The next major release OpenVPN 2.4 will probably default to TLS 1.0+

Note: See TracTickets for help on using tickets.