Control: tags -1 moreinfo Am 07.03.19 um 19:46 schrieb Matthew Horan:
Hi Matthew, > The version of OpenVPN in Debian buster (2.4.7) seems to be incompatible > with the version of OpenSSL (1.1.1a) in Debian buster. This seems to be > due to TLS 1.3 support in OpenSSL 1.1.1, which OpenVPN 2.4.7 does not > support. > > This was also reported on the debian-user mailing list [1]. > > Using this combination will result in the following errors: > > Mon Sep 3 11:19:34 2018 us=634070 TLS_ERROR: BIO read tls_read_plaintext > error > Mon Sep 3 11:19:34 2018 us=634074 TLS Error: TLS object -> incoming > plaintext read error > Mon Sep 3 11:19:34 2018 us=634079 TLS Error: TLS handshake failed > > and the connection will be closed. Thanks for your report. I cannot really reproduce this. OpenVPN 2.4.7 in testing successfully connects (in tls-client mode) to an OpenVPN 2.4.0 on Stretch. Thu Mar 7 21:28:49 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Could it be possible that your server is quite old? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912650 suggests there might be an issue connecting to an OpenVPN version that only does TLSv1.0 by default. > A workaround is to add "tls-version-max 1.2" to the OpenVPN config file. If you use that workaround, what TLS version is negotiated? Best Regards, Bernhard
