Took me a bit to find a setup where this made a difference, but with
CA / fingerprint validation errors on the client, I saw
tlsv1 alert unknown ca
on the server, and with a "tls-version-min/max" mismatch (server requiring
1.1, client capped to 1.0) I saw a proper error on the client
2024-06-01 22:18:57 Received fatal SSL alert: protocol version
2024-06-01 22:18:57 OpenSSL: error:0A00042E:SSL routines::tlsv1 alert protocol
version:SSL alert number 70
2024-06-01 22:18:57 TLS_ERROR: BIO read tls_read_plaintext error
.. while "without the patch" (older server) it would just sit there
and timeout, never hearing anything back from the server. Haven't tried
variants more likely to occur in practice (especially "client cert expired")
but expect this to be a useful addition to troubleshooting.
An older client connecting to a patched server will receive the alerts
perfectly fine (as expected, no code changes in those paths), but obviously
won't send them *out* - even though visible in the client log.
2024-06-01 22:25:25 Sent fatal SSL alert: unknown CA
For completeness, sent through the server side threadmill (testing
with the full set of 2.2 to master clients), and also through GHA -
all works. Great :-)
Your patch has been applied to the master branch.
commit fbe3b49b373ea8e81aaa31a383258403a3bfcd07
Author: Arne Schwabe
Date: Mon Apr 8 14:49:33 2024 +0200
Allow the TLS session to send out TLS alerts
Signed-off-by: Arne Schwabe <[email protected]>
Acked-by: Frank Lichtenheld <[email protected]>
Message-Id: <[email protected]>
URL:
https://www.mail-archive.com/[email protected]/msg28540.html
Signed-off-by: Gert Doering <[email protected]>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
