On Apr 15, 2015 9:11 PM, "Jan Just Keijser" <janj...@nikhef.nl> wrote:
> Hi,
>
> On 15/04/15 17:52, Chris Ross wrote:
> > [...]
> > openvpn --show-tls
> >
> > as this is the control channel auth that is failing - that channel uses
> a different cipher method.
> > Both of those outputs look “okay”, but I’m not sure what I should be
> looking for. I can attach the output of show-ciphers, show-tls on the
> client shows the following. The servers list is shorter, but notably long
> (50+). How can I tell if the client is requesting/using something specific?
> >
> >
>
> the cipher list looks OK; I've just tried in my setup and it's
> definitely the TLS cipher, not the "cipher" option - that would lead to
> a different error message.
>
> something just popped up in my mind: what kind of certificates are you
> using? if you're using ECDSA based certificates and use SHA256 signing
> then it would fail - the currently released version of OpenVPN does not
> support that. Try using "regular" RSA type certificates (there you can
> use SHA2 hashes).
>
> You can determine what's used in your certificate by posting/looking at
> openssl x509 -text -noout -in cert/distal-ca.crt
> openssl x509 -text -noout -in cert/distalvpn.crt
>
> HTH,
>
> JJK
>
> >
> > Available TLS Ciphers,
> > listed in order of preference:
> >
> > TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
> > TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
> > TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
> > TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
> > TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
> > TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
> > TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
> > TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA
> > SRP-AES-256-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
> > TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
> > TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
> > TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
> > TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
> > TLS-DHE-RSA-WITH-AES-256-CBC-SHA
> > TLS-DHE-DSS-WITH-AES-256-CBC-SHA
> > TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
> > TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
> > TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
> > TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384
> > TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384
> > TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384
> > TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
> > TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA
> > TLS-RSA-WITH-AES-256-GCM-SHA384
> > TLS-RSA-WITH-AES-256-CBC-SHA256
> > TLS-RSA-WITH-AES-256-CBC-SHA
> > TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
> > TLS-PSK-WITH-AES-256-CBC-SHA
> > TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
> > TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
> > TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
> > TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
> > TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
> > TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
> > TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA
> > TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA
> > SRP-AES-128-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
> > TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
> > TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
> > TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
> > TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
> > TLS-DHE-RSA-WITH-AES-128-CBC-SHA
> > TLS-DHE-DSS-WITH-AES-128-CBC-SHA
> > TLS-DHE-RSA-WITH-SEED-CBC-SHA
> > TLS-DHE-DSS-WITH-SEED-CBC-SHA
> > TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
> > TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
> > TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
> > TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256
> > TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256
> > TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256
> > TLS-ECDH-RSA-WITH-AES-128-CBC-SHA
> > TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA
> > TLS-RSA-WITH-AES-128-GCM-SHA256
> > TLS-RSA-WITH-AES-128-CBC-SHA256
> > TLS-RSA-WITH-AES-128-CBC-SHA
> > TLS-RSA-WITH-SEED-CBC-SHA
> > TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
> > IDEA-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
> > TLS-PSK-WITH-AES-128-CBC-SHA
> > TLS-ECDHE-RSA-WITH-RC4-128-SHA
> > TLS-ECDHE-ECDSA-WITH-RC4-128-SHA
> > TLS-ECDH-RSA-WITH-RC4-128-SHA
> > TLS-ECDH-ECDSA-WITH-RC4-128-SHA
> > TLS-RSA-WITH-RC4-128-SHA
> > TLS-RSA-WITH-RC4-128-MD5
> > TLS-PSK-WITH-RC4-128-SHA
> > TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
> > TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA
> > TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA
> > TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA
> > SRP-3DES-EDE-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
> > TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
> > TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
> > TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA
> > TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA
> > TLS-RSA-WITH-3DES-EDE-CBC-SHA
> > TLS-PSK-WITH-3DES-EDE-CBC-SHA
> > TLS-DHE-RSA-WITH-DES-CBC-SHA
> > TLS-DHE-DSS-WITH-DES-CBC-SHA
> > TLS-RSA-WITH-DES-CBC-SHA
> >
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
