Re: [Openvpn-users] Unable to establish VPN

[Jan Just Keijser]

Hi,

On 15/04/15 17:52, Chris Ross wrote:
> [...]
>   openvpn --show-tls
>
> as this is the control channel auth that is failing - that channel uses a 
> different cipher method.
>   Both of those outputs look “okay”, but I’m not sure what I should be 
> looking for.  I can attach the output of show-ciphers, show-tls on the client 
> shows the following.  The servers list is shorter, but notably long (50+).  
> How can I tell if the client is requesting/using something specific?
>
>     

the cipher list looks OK; I've just tried in my setup and it's 
definitely the TLS cipher, not the "cipher" option - that would lead to 
a different error message.

something just popped up in my mind: what kind of certificates are you 
using? if you're using ECDSA based certificates and use SHA256 signing 
then it would fail - the currently released version of OpenVPN does not 
support that. Try using "regular" RSA type certificates (there you can 
use SHA2 hashes).

You can determine what's used in your certificate by posting/looking at
   openssl x509 -text -noout -in cert/distal-ca.crt
   openssl x509 -text -noout -in cert/distalvpn.crt

HTH,

JJK

>
> Available TLS Ciphers,
> listed in order of preference:
>
> TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
> TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
> TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
> TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
> TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
> TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
> TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA
> SRP-AES-256-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
> TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
> TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
> TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
> TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
> TLS-DHE-RSA-WITH-AES-256-CBC-SHA
> TLS-DHE-DSS-WITH-AES-256-CBC-SHA
> TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
> TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
> TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
> TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384
> TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384
> TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384
> TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
> TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA
> TLS-RSA-WITH-AES-256-GCM-SHA384
> TLS-RSA-WITH-AES-256-CBC-SHA256
> TLS-RSA-WITH-AES-256-CBC-SHA
> TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
> TLS-PSK-WITH-AES-256-CBC-SHA
> TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
> TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
> TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
> TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
> TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
> TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
> TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA
> TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA
> SRP-AES-128-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
> TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
> TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
> TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
> TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
> TLS-DHE-RSA-WITH-AES-128-CBC-SHA
> TLS-DHE-DSS-WITH-AES-128-CBC-SHA
> TLS-DHE-RSA-WITH-SEED-CBC-SHA
> TLS-DHE-DSS-WITH-SEED-CBC-SHA
> TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
> TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
> TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
> TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256
> TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256
> TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256
> TLS-ECDH-RSA-WITH-AES-128-CBC-SHA
> TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA
> TLS-RSA-WITH-AES-128-GCM-SHA256
> TLS-RSA-WITH-AES-128-CBC-SHA256
> TLS-RSA-WITH-AES-128-CBC-SHA
> TLS-RSA-WITH-SEED-CBC-SHA
> TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
> IDEA-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
> TLS-PSK-WITH-AES-128-CBC-SHA
> TLS-ECDHE-RSA-WITH-RC4-128-SHA
> TLS-ECDHE-ECDSA-WITH-RC4-128-SHA
> TLS-ECDH-RSA-WITH-RC4-128-SHA
> TLS-ECDH-ECDSA-WITH-RC4-128-SHA
> TLS-RSA-WITH-RC4-128-SHA
> TLS-RSA-WITH-RC4-128-MD5
> TLS-PSK-WITH-RC4-128-SHA
> TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
> TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA
> TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA
> TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA
> SRP-3DES-EDE-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
> TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
> TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
> TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA
> TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA
> TLS-RSA-WITH-3DES-EDE-CBC-SHA
> TLS-PSK-WITH-3DES-EDE-CBC-SHA
> TLS-DHE-RSA-WITH-DES-CBC-SHA
> TLS-DHE-DSS-WITH-DES-CBC-SHA
> TLS-RSA-WITH-DES-CBC-SHA
>
>
>


------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users