On 22-Apr-14 05:26, openvpn-users-requ...@lists.sourceforge.net wrote:
Message: 7
Date: Tue, 22 Apr 2014 09:54:48 +0100
From: George Ross<g...@inf.ed.ac.uk>
Subject: [Openvpn-users] "TLS_ERROR: BIO read tls_read_plaintext error
..."
To:openvpn-users@lists.sourceforge.net
Message-ID:<201404220854.s3m8smpn008...@eden.inf.ed.ac.uk>
Content-Type: text/plain; charset="us-ascii"
Wondering if anyone has any suggestions here. Trying 2.3.3 on client and
server, my tunnel fails to come up. Here's what's logged on the client end:
2014-04-22T07:14:14.304625+01:00 eden openvpn.TLS[8239]: Control Channel
Authentication: using '/etc/openvpn/tls.auth' as a free-form passphrase file
2014-04-22T07:14:14.305757+01:00 eden openvpn.TLS[8239]: UDPv4 link local
(bound): [undef]
2014-04-22T07:14:14.305788+01:00 eden openvpn.TLS[8239]: UDPv4 link remote:
[AF_INET]XX.XX.XX.XX:YYY
2014-04-22T07:14:15.199389+01:00 eden openvpn.TLS[8239]: TLS_ERROR: BIO read
tls_read_plaintext error: error:04075070:rsa routines:RSA_sign:digest too big
for rsa key: error:14099006:SSL routines:SSL3_SEND_CLIENT_VERIFY:EVP lib
2014-04-22T07:14:15.199439+01:00 eden openvpn.TLS[8239]: TLS Error: TLS object
-> incoming plaintext read error
2014-04-22T07:14:15.199452+01:00 eden openvpn.TLS[8239]: TLS Error: TLS
handshake failed
2014-04-22T07:14:15.200225+01:00 eden openvpn.TLS[8239]:
SIGUSR1[soft,tls-error] received, process restarting
(repeated until I kill the daemon). The server end just logs "TLS Error:
TLS handshake failed".
The same 2.3.3 client connects fine to a 2.3.2 server running basically the
same configuration. I haven't had a chance to test a 2.3.2 client against
that 2.3.3 server yet.
Linux kernel 2.6.32-431.5.1.el6.x86_64 at both ends, in case it matters.
Suggestions welcome!
--
George D M Ross MSc PhD CEng MBCS CITP, University of Edinburgh,
School of Informatics, 10 Crichton Street, Edinburgh, Scotland, EH8 9AB
Mail:g...@inf.ed.ac.uk Voice: 0131 650 5147 Fax: 0131 650 6899
PGP: 1024D/AD758CC5 B91E D430 1E0D 5883 EF6A 426C B676 5C2B AD75 8CC5
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
This looks superficially like the problem that I reported in https://community.openvpn.net/openvpn/ticket/385#comment:5 If you are able to rebuild from source, comment 5 has a 4 line patch that works for me. It's not hard - the usual fetch source, expand, (patch), ./configure, make, make install. You need openssl-devel, lzo-devel & pam-devel. Instructions here: http://openvpn.net/index.php/open-source/documentation/howto.html It would be interesting to know: Does it work for you? Are you running a pre-built (RPM, etc) version of the server - if so, which one? What Linux distribution are you running? What version of OpenSSL are you running? (The distributions have addressed the Heartbleed issue differently - some have applied a local patch, others a full upgrade to the latest OpenSSL.) Or are you using PolarSSL? Root cause is not understood - my patch is more along the lines of a work-around than a fix. At the moment, the development team is blaming my issue on ARM - if you have the same issue, it would be the first report on x86-64. I'm not part of the development team. Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. This communication may not represent my employer's views, if any, on the matters discussed.
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
