Ciao kp and everyone I have done some test using a BUC 3.1 as openvpn client (using the same configuration and the same certificates that i have tried on BUC 4.3.3) and it connects correcly without any problem to our opensuse vpn concentrator.
So I think that the buc 4.3.3 problem is not related to a misconfiguration.... :-( ciao Graziano Il 25/01/2013 9.34, Graziano Brioschi ha scritto: > Ciao kp, > > many thanks for your suggestions > > I have found that on our OpenSuSE x64 openvpn concentrator we have two > packages that have different version related to [2] note; here the > difference: > > openssl-0.9.8k-3.14.1.x86_64 > libopenssl0_9_8-0.9.8k-3.14.1.x86_64 > > There seem to be more recent that v. 3.5.3 that are quoted in [2], so i > think that our system is patched correctly. > Looking for these packages on the update repository > http://download.opensuse.org/update/11.2/, I can see that they are the > last distributed version. > > I have also checked our BUC 3.1 version than correctly connect to the > vpn concentrator and o have found that the libssl package is version 0.9.7l. > > Now i will try to install a BUC 3.1 version so I will check the openvpn > client configuration from our office > > Do you think that our problem is related to a wrong openvpn > configuration on our BUC 4.3.3? > I have checked it many times looking for a mistake, but I cannot find it :-( > > Thanks > Graziano > > > > > Il 24/01/2013 18.38, KP Kirchdoerfer ha scritto: >> Ciao Graziano >> >> Am 24.01.2013 10:42, schrieb Graziano Brioschi: >>> Hello list >>> >>> i have a problem using openvpn on a BUC 4.3.3 installed on a PC Engines >>> ALIX (cpu geode); here some messages from daemon.log when I try to >>> establish my openvpn connection: >>> >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: OpenVPN 2.2.2 >>> i386-pc-linux-gnu [SSL] [EPOLL] [eurephia] built on Dec 28 2012 >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: NOTE: the >>> current --script-security setting may allow this configuration to call >>> user-defined script >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: Control Channel >>> MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ] >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: Socket Buffers: >>> R=[112640->131072] S=[112640->131072] >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6405]: Data Channel MTU >>> parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ] >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: UDPv4 link >>> local: [undef] >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: UDPv4 link >>> remote: 172.32.1.1:1194 >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: TLS: Initial >>> packet from 172.32.1.1:1194, sid=da260a78 02a799a2 >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: *TLS_ERROR: BIO >>> read tls_read_plaintext error: error:14092073:SSL >>> routines:SSL3_GET_SERVER_HELLO:bad* >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: *TLS Error: TLS >>> object -> incoming plaintext read error* >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: *TLS Error: TLS >>> handshake failed* >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: TCP/UDP: Closing >>> socket >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: >>> SIGUSR1[soft,tls-error] received, process restarting >>> Jan 24 09:41:01 fw-centraleadriatica ovpn-client[6406]: Restart pause, 2 >>> second(s) >>> >>> >>> My openvpn server is a OpenSuSE 11.2 with openvpn 2.1.0 and openssl >>> 0.9.8; the same machine is an openvpn server for many Windows clients an >>> a BUC 3.1 client with no problems (it is in production since early 2009) >>> >>> I have tried to search on google about the TSL BIO error and it seems to >>> be an openssl bug: give a look here >>> https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=538456 >>> https://bugzilla.redhat.com/show_bug.cgi?id=537962 >> I read it as security issue [1]. >> >>> Someone have some suggestions? Or I must install an old BUC version? >>> Upgrading the OpenSUSE 11.2 vpn concentrator is not an option :-( ! >> Can you confirm that your OpenSuse 11.2 vpn concentrator has received >> the security updates? [2] >> >> kp >> >> >> >> [1] from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 >> "The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as >> used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in >> the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS >> 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and >> earlier, multiple Cisco products, and other products, does not properly >> associate renegotiation handshakes with an existing connection, which >> allows man-in-the-middle attackers to insert data into HTTPS sessions, >> and possibly other types of sessions protected by TLS or SSL, by sending >> an unauthenticated request that is processed retroactively by a server >> in a post-renegotiation context, related to a "plaintext injection" >> attack, aka the "Project Mogul" issue. " >> >> [2] >> http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html >> >> ------------------------------------------------------------------------------ >> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >> MVPs and experts. ON SALE this month only -- learn more at: >> http://p.sf.net/sfu/learnnow-d2d >> ------------------------------------------------------------------------ >> leaf-user mailing list: leaf-user@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/leaf-user >> Support Request -- http://leaf-project.org/ -- Graziano Brioschi Outland s.a.s. sede operativa: Via A. Don Rocca, 13 20030, Senago (MI) tel: 02 9948 6014 mobile: 328 8382622 email: graziano.brios...@outland.it --> U4E <-- ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
