Re: [Openvpn-users] Unable to establish VPN

Thu, 16 Apr 2015 07:46:56 -0700 

Hi Chris,

On 16/04/15 16:12, Chris Ross wrote:
>> On Apr 16, 2015, at 10:04, Chris Ross <cross+open...@distal.com> wrote:
>>> On Apr 16, 2015, at 09:51, Chris Ross <cross+open...@distal.com> wrote:
>>>> On Apr 16, 2015, at 03:01, Jan Just Keijser <janj...@nikhef.nl> wrote:
>>>> One thing you could try is to run the underlying openssl command on both 
>>>> client and server:
>>>> server:
>>>>   openssl s_server -msg -CAfile ca.crt -cert server.crt -key server.key
>>>> client:
>>>>   openssl s_client -connect <server-IP>:4433
>>>>
>>>> (adjust ca.crt and server.{crt,key} to your setup).
>>>> The server should print the list of shared ciphers.
>>   Interesting.  While googling around for openssl errors saying “no shared 
>> cipher", rather than openvpn errors, I found someone suggesting a similar 
>> set of commands for debugging an application programming problem.  But, they 
>> used “-tls1” on each side.  When I retried your commands above adding 
>> “-tls1” to the client side, it established a connection successfully […]
>    A few more trials showed that adding “-tls1” to the s_client command 
> caused a successful connection, so did “-no_ssl2”.  I don’t understand the 
> full nature of the problem, but this sounds like something I should be able 
> to configure openvpn to enact.
>
>    And I’m not sure how much I care, but I might want better than RC4-MD5 
> anyway, right?
>
>
this is important info - openssl 0.9.9. is fairly old, but still 
supported by OpenVPN; however, it seems that the default cipher chosen 
by your openssl lib is an SSLv2 one. Can you try adding the flag
    tls-version-min 1
to the server config?

Alternatively, upgrade openssl to 1.0.1 on the server side. You can link 
openvpn against a custom version of OpenSSL so you won't have to upgrade 
the system library.

HTH,

JJK


------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to