Hi,
On 26/09/18 06:19, Arne Schwabe wrote:
> Am 25.09.18 um 16:31 schrieb David Sommerseth:
>> On 25/09/18 14:48, Arne Schwabe wrote:
>>> In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
>>> anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
>>> TLS 1.0 only without setting tls-version-min.
>>>
>>> We currently log only
>>> OpenSSL: error:14209102:SSL
>>> routines:tls_early_post_process_client_hello:unsupported protocol
>>> which indicates the right technical error but is not very helpful to a
>>> person without deep knowledge in SSL/TLS and OpenVPN's TLS version
>>> history.
>>>
>>> This commit adds a hopefully helpful message and also tells users how
>>> to fix the old Debian 8 clients.
>>> ---
>>> src/openvpn/crypto_openssl.c | 10 +++++++++-
>>> 1 file changed, 9 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
>>> index 9ec2048d..3360bb19 100644
>>> --- a/src/openvpn/crypto_openssl.c
>>> +++ b/src/openvpn/crypto_openssl.c
>>> @@ -199,7 +199,15 @@ crypto_print_openssl_errors(const unsigned int flags)
>>> "in common with the client. Your --tls-cipher setting
>>> might be "
>>> "too restrictive.");
>>> }
>>> -
>>> + else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
>>> + {
>>> + msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This
>>> typically "
>>> + "indicates that client and server have no common TLS
>>> version enabled. "
>>> + "This can be caused mismatched tls-version-min and
>>> tls-version-max options "
>>> + "on client and server. "
>>> + "If your client is 2.3.6 or older consider adding
>>> tls-version 1.1"
>>> + "to the the configuration to use TLS 1.1+ instead of TLS
>>> 1.0 only");
>>
>>
>> Good advice in the log. But should this be added in the local or remote
>> configuration? It is the 2.3.6 reference which makes it confusing for me,
>> otherwise I would have interpreted this as the local side where this warning
>> occurs. So this could be clearer.
>
> 2.3.7 is the first version of OpenVPN which enables TLS 1.0+ instead TLS
> 1.0 only by default. See this commit by Steffan:
>
> https://github.com/OpenVPN/openvpn/commit/8dc6ed28941cb9b9167e0b466e96b5f11359eb59
> I think the problem is: we apply this patch to the latest 2.3.x release, so it will never appear on "2.3.6 or older" clients. Hence, does it really make sense to print that particular sentence? Cheers, -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
