id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 887,"Cipher mismatch on reconnect after ""TLS: soft reset""",sbehrens,,"After a ""TLS: soft reset"" on the next reconnect the PUSH_REPLY does not include the ""cipher AES-256-GCM"" which would switch the client away from the default BF-CBC to AES-256-GCM. Client and server use mismatching ciphers afterwards. Configuring ""reneg-sec 180"" on the server helps to reproduce this issue quickly. When tls_session_generate_data_channel_keys() is called via tls_session_update_crypto_params() the client and server both use the same cipher AES-256-GCM, but sometimes key_method_2_write() or key_method_2_read() seem to be the one who call tls_session_generate_data_channel_keys() and then the server uses AES-256-GCM but the client uses BF-CBC. Example for when client + server both establish AES-256-GCM: {{{ TLS: Username/Password authentication succeeded for username 'foo' [CN SET] TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1 TLS: tls_multi_process: untrusted session promoted to semi-trusted Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384 PUSH: Received control message: 'PUSH_REQUEST' SENT CONTROL [foo]: 'PUSH_REPLY,ping 45,route 3.2.1.69,route 3.2.1.72,route 3.2.1.44,route 10.144.0.1,topology net30,ifconfig 10.144.0.6 10.144.0.5,peer-id 0,cipher AES-256-GCM' (status=1) Data Channel MTU parms [ L:1333 D:1333 EF:-167 EB:406 ET:0 EL:3 ] Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key }}} Example for when client uses BF-CBC but server uses AES-256-GCM: {{{ TLS: soft reset sec=0 bytes=23248/-1 pkts=237/0 TLS: Username/Password authentication succeeded for username 'foo' [CN SET] Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1 TLS: tls_multi_process: untrusted session promoted to semi-trusted Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384 PUSH: Received control message: 'PUSH_REQUEST' PUSH: client wants to negotiate cipher (NCP), but server has already generated data channel keys, ignoring client request SENT CONTROL [foo]: 'PUSH_REPLY,ping 45,route 3.2.1.69,route 3.2.1.72,route 3.2.1.44,route 10.144.0.1,topology net30,ifconfig 10.144.0.6 10.144.0.5,peer-id 0' (status=1) AEAD Decrypt error: cipher final failed }}} The server config is available in ticket:879#comment:2",Bug / Defect,closed,major,,Generic / unclassified,OpenVPN 2.4.1 (Community Ed),"Not set (select this one, unless your'e a OpenVPN developer)",fixed,cipher NCP reconnect PUSH_REPLY soft reset,Steffan Karger