[LEDE-DEV] [PATCH RFC 1/2] openvpn: update to 2.4_rc2
Magnus Kroken
mkroken at gmail.com
Thu Dec 29 16:52:09 PST 2016
Hi Lucian, Martin
>> On 25.12.2016 14.23, Martin Blumenstingl wrote:
>>> I guess this worked on LEDE with PolarSSL with OpenVPN 2.3:
>>> #define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
>>> while
>>> //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
>>>
>>> can you tell if I ran into some corner case (the affected server was
>>> using OpenVPN 2.3.14, most probably with OpenSSL backend) or if this
>>> is a real problem?
On 27.12.2016 17.37, Lucian Cristian wrote:
> server:
>
> OpenVPN 2.3.13 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL]
> [PKCS11] [MH] [IPv6] built on Nov 3 2016
> openvpn[21369]: x.x.x.x:41964 OpenSSL: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> openvpn[21369]: x.x.x.x:41964 TLS_ERROR: BIO read tls_read_plaintext error
> openvpn[21369]: x.x.x.x:41964 TLS Error: TLS object -> incoming
> plaintext read error
> openvpn[21369]: x.x.x.x:41964 TLS Error: TLS handshake failed
>
> removing //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED from config.patch
>
> client:
> Control Channel: TLSv1.2, cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384,
> 2048 bit key
As Lucian already shared, enabling DHE-RSA exchange support in mbed TLS
does fix compaitiblity with OpenVPN 2.3-openssl servers (turns out with
OpenSSL, openvpn --show-tls lies a lot). I've confirmed that OpenVPN
2.4-mbedtls with this change can connect to OpenVPN-openssl 2.3.0 and
2.3.14.
I also discovered an issue connecting to OpenVPN-openssl 2.4 servers
during this, and have sent a patch for this as well.
Thanks for reporting and testing.
/Magnus
More information about the Lede-dev
mailing list