Ciao Graziano

Am 24.01.2013 10:42, schrieb Graziano Brioschi:
> Hello list
> 
> i have a problem using openvpn on a BUC 4.3.3 installed on a PC Engines 
> ALIX (cpu geode); here some messages from daemon.log when I try to 
> establish my openvpn connection:
> 
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: OpenVPN 2.2.2 
> i386-pc-linux-gnu [SSL] [EPOLL] [eurephia] built on Dec 28 2012
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: NOTE: the 
> current --script-security setting may allow this configuration to call 
> user-defined script
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: Control Channel 
> MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: Socket Buffers: 
> R=[112640->131072] S=[112640->131072]
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: Data Channel MTU 
> parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: UDPv4 link 
> local: [undef]
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: UDPv4 link 
> remote: 172.32.1.1:1194
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: TLS: Initial 
> packet from 172.32.1.1:1194, sid=da260a78 02a799a2
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: *TLS_ERROR: BIO 
> read tls_read_plaintext error: error:14092073:SSL 
> routines:SSL3_GET_SERVER_HELLO:bad*
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: *TLS Error: TLS 
> object -> incoming plaintext read error*
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: *TLS Error: TLS 
> handshake failed*
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: TCP/UDP: Closing 
> socket
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: 
> SIGUSR1[soft,tls-error] received, process restarting
> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: Restart pause, 2 
> second(s)
> 
> 
> My openvpn server is a OpenSuSE 11.2 with openvpn 2.1.0 and openssl 
> 0.9.8; the same machine is an openvpn server for many Windows clients an 
> a BUC 3.1 client with no problems (it is in production since early 2009)
> 
> I have tried to search on google about the TSL BIO error and it seems to 
> be an openssl bug: give a look here
> https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=538456
> https://bugzilla.redhat.com/show_bug.cgi?id=537962

I read it as security issue [1].

> Someone have some suggestions? Or I must install an old BUC version?
> Upgrading the OpenSUSE 11.2 vpn concentrator is not an option :-( !

Can you confirm that your OpenSuse 11.2 vpn concentrator has received
the security updates? [2]

kp



[1] from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
"The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in
the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS
2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and
earlier, multiple Cisco products, and other products, does not properly
associate renegotiation handshakes with an existing connection, which
allows man-in-the-middle attackers to insert data into HTTPS sessions,
and possibly other types of sessions protected by TLS or SSL, by sending
an unauthenticated request that is processed retroactively by a server
in a post-renegotiation context, related to a "plaintext injection"
attack, aka the "Project Mogul" issue. "

[2]
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Reply via email to