Any chance we could backport support for TLS v1.1+ to Trusty LTS? ** Description changed:
Hi Guys, Seems the version of OpenVPN we're carrying only supports and/or is able to negotiate TLS v1.0. The patch below has landed in upstream OpenVPN 2.3.3 and replaces TLSv1_server_method() calls with + SSLv23_server_method() and TLSv1_client_method() with SSLv23_client_method(). https://github.com/OpenVPN/openvpn/commit/4b67f9849ab3efe89268e01afddc7795f38d0f64 For example, when OpenVPN tls-ciphers is configured with TLS v1.2 ciphers: | tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH- AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH- AES-128-CBC-SHA Logs shows negotiating at TLS v1.0: | Oct 26 21:58:47 ragnar ovpn-canonical[19470]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES128-SHA, 2048 bit RSA When TLS v1.1 and/or v1.2 ciphers are only specified, sessions fail: | Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available | Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS object -> incoming plaintext read error | Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS handshake failed | Oct 26 21:58:31 ragnar ovpn-canonical[19470]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=eca7ea6c 067ea30f Could we please consider either packaging >= 2.3.3 or backporting this patch? Thanks, Haw -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvpn in Ubuntu. https://bugs.launchpad.net/bugs/1385851 Title: OpenVPN only supports TLS v1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1385851/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
