On 04/11/13 21:59, jack seth wrote: > ---------------------------------------- >> Date: Mon, 4 Nov 2013 14:55:53 +0100 >> From: openvpn.l...@topphemmelig.net >> To: bird_...@hotmail.com >> Subject: Re: [Openvpn-users] Can't connect using tls-cipher >> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA >> >> On 04/11/13 04:17, jack seth wrote: >>> I can't connect to my openvpn server using the option 'tls-cipher >>> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA'. This is the only change I made to >>> the server and client configs. They were working perfectly before this. >>> Here are the relevant log info >>> >>> Client log >>> Sun Nov 03 21:00:26 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] >>> [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013 >>> Enter Management Password: >>> Sun Nov 03 21:00:26 2013 MANAGEMENT: TCP Socket listening on >>> [AF_INET]127.0.0.1:25340 >>> Sun Nov 03 21:00:26 2013 Need hold release from management interface, >>> waiting... >>> Sun Nov 03 21:00:26 2013 MANAGEMENT: Client connected from >>> [AF_INET]127.0.0.1:25340 >>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'state on' >>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'log all on' >>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'hold off' >>> Sun Nov 03 21:00:26 2013 MANAGEMENT: CMD 'hold release' >>> Sun Nov 03 21:00:27 2013 Control Channel Authentication: using 'c:\Program >>> Files (x86)\OpenVPN\config\ta.key' as a OpenVPN static key file >>> Sun Nov 03 21:00:27 2013 Outgoing Control Channel Authentication: Using 256 >>> bit message hash 'SHA256' for HMAC authentication >>> Sun Nov 03 21:00:27 2013 Incoming Control Channel Authentication: Using 256 >>> bit message hash 'SHA256' for HMAC authentication >>> Sun Nov 03 21:00:27 2013 Socket Buffers: R=[8192->8192] S=[8192->8192] >>> Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,RESOLVE,,, >>> Sun Nov 03 21:00:27 2013 UDPv4 link local: [undef] >>> Sun Nov 03 21:00:27 2013 UDPv4 link remote: [AF_INET]**.**.**.232:1194 >>> Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,WAIT,,, >>> Sun Nov 03 21:00:27 2013 MANAGEMENT:>STATE:1383534027,AUTH,,, >>> Sun Nov 03 21:00:27 2013 TLS: Initial packet from >>> [AF_INET]**.**.**.232:1194, sid=cc4ea058 9f0a9c59 >>> Sun Nov 03 21:00:57 2013 [UNDEF] Inactivity timeout (--ping-restart), >>> restarting >>> Sun Nov 03 21:00:57 2013 SIGUSR1[soft,ping-restart] received, process >>> restarting >>> Sun Nov 03 21:00:57 2013 >>> MANAGEMENT:>STATE:1383534057,RECONNECTING,ping-restart,, >>> Sun Nov 03 21:00:57 2013 Restart pause, 2 second(s) >>> Sun Nov 03 21:00:58 2013 SIGTERM[hard,init_instance] received, process >>> exiting >>> Sun Nov 03 21:00:58 2013 >>> MANAGEMENT:>STATE:1383534058,EXITING,init_instance,, >>> >>> Server log >>> Wed Dec 31 18:00:59 1969 OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL >>> (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 22 2013 >>> - >>> - >>> Sun Nov 3 20:59:29 2013 Initialization Sequence Completed >>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS: Initial packet from >>> [AF_INET]192.168.1.116:51126, sid=9edfecdb 4157f6ff >>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS_ERROR: BIO read >>> tls_read_plaintext error: error:1408A0C1:lib(20):func(138):reason(193) >>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS Error: TLS object -> >>> incoming plaintext read error >>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 TLS Error: TLS handshake failed >>> Sun Nov 3 21:00:26 2013 192.168.1.116:51126 SIGUSR1[soft,tls-error] >>> received, client-instance restarting >>> >>> >>> What does the TLS error mean? >> >> Seems the OpenSSL library on your server isn't compiled with error strings >> enabled. But you can use 'openssl errstr' on another computer to figure out >> this. >> >> $ openssl errstr 1408A0C1 >> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher >> >> So this sounds like there's a mismatch between your server and client config >> in regards to cipher parameters. >> >> >> -- >> kind regards, >> >> David Sommerseth > > > Thanks for the response. I'm confused by this because I am using the exact > same line in the server config and the client config???
But does your OpenSSL library support the same ciphers on both sides? Does it --show-ciphers and --show-tls on both sides contain the ciphers you use in your config file? OpenVPN gets this error from OpenSSL, so this is obviously a configuration issue. And just to have that said, --show-ciphers lists what is possible to use with --cipher, while --show-tls lists what is possible to use with --tls-cipher. And you need to have a common value on both sides which OpenSSL on both sides supports. -- kind regards, David Sommerseth ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
