Your message dated Thu, 7 Mar 2019 22:35:38 +0100
with message-id <[email protected]>
and subject line Re: Bug#923972: openvpn: OpenVPN 2.4.7 incompatible with
OpenSSL 1.1.1a due to TLS 1.3
has caused the Debian Bug report #923972,
regarding openvpn: OpenVPN 2.4.7 incompatible with OpenSSL 1.1.1a due to TLS 1.3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
923972: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923972
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openvpn
Version: 2.4.7-1
Severity: normal
Dear Maintainer,
The version of OpenVPN in Debian buster (2.4.7) seems to be incompatible
with the version of OpenSSL (1.1.1a) in Debian buster. This seems to be
due to TLS 1.3 support in OpenSSL 1.1.1, which OpenVPN 2.4.7 does not
support.
This was also reported on the debian-user mailing list [1].
Using this combination will result in the following errors:
Mon Sep 3 11:19:34 2018 us=634070 TLS_ERROR: BIO read tls_read_plaintext error
Mon Sep 3 11:19:34 2018 us=634074 TLS Error: TLS object -> incoming plaintext
read error
Mon Sep 3 11:19:34 2018 us=634079 TLS Error: TLS handshake failed
and the connection will be closed.
A workaround is to add "tls-version-max 1.2" to the OpenVPN config file.
I do *believe* that this a client side issue, but it could be a
misconfiguration on the server side. Regardless, the error message is
pretty vague, and it took me a while to figure out what was going on.
[1] https://lists.debian.org/debian-user/2018/09/msg00044.html
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openvpn depends on:
ii debconf [debconf-2.0] 1.5.70
ii iproute2 4.20.0-2
ii libc6 2.28-7
ii liblz4-1 1.8.3-1
ii liblzo2-2 2.10-0.1
ii libpam0g 1.3.1-5
ii libpkcs11-helper1 1.25.1-1
ii libssl1.1 1.1.1a-1
ii libsystemd0 241-1
ii lsb-base 10.2018112800
Versions of packages openvpn recommends:
ii easy-rsa 3.0.6-1
Versions of packages openvpn suggests:
ii openssl 1.1.1a-1
pn openvpn-systemd-resolved <none>
pn resolvconf <none>
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Am 07.03.19 um 22:22 schrieb Matt Horan:
Dear Matt,
> The connection is indeed being made with TLS 1.3, and it works just
> fine. There seems to be a problem with the tool I use to connect, and
> when executing it a different way (the way I thought was injecting the
> tls-max-version), all works fine.
>
> I'm working with the author of the tool to figure out what's going on
> there, but I do believe the Debian packages are just fine.
Thanks for the feedback, closing the bug.
Bernhard
--- End Message ---
