[LEDE-DEV] [PATCH RFC 1/2] openvpn: update to 2.4_rc2
Lucian Cristian
luci at createc.ro
Tue Dec 27 08:37:07 PST 2016
On 25.12.2016 16:17, Magnus Kroken wrote:
> Hi Martin
>
> On 25.12.2016 14.23, Martin Blumenstingl wrote:
>> I guess this worked on LEDE with PolarSSL with OpenVPN 2.3:
>> #define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
>> while
>> //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
>>
>> can you tell if I ran into some corner case (the affected server was
>> using OpenVPN 2.3.14, most probably with OpenSSL backend) or if this
>> is a real problem?
>
> Thanks for the report. In commit
> 732c24a0cac4293b058c99ff7867fd13a2670eca ("mbedtls: sync with polarssl
> config") Felix enabled some mbedTLS config options for legacy OpenVPN
> client compatibility, this one should probably have been enabled as
> well. It might depend on other options as well, I don't know mbedTLS
> well enough to if that is all that's missing. I'm unable to test this
> at the moment, but I should be able to do some testing before the end
> of the year.
>
>> Regards,
>> Martin
>>
>
> /Magnus
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev
server:
OpenVPN 2.3.13 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL]
[PKCS11] [MH] [IPv6] built on Nov 3 2016
openvpn[21369]: x.x.x.x:41964 TLS: Initial packet from
[AF_INET]x.x.x.x:41964, sid=98739b91 7023f61a
openvpn[21369]: x.x.x.x:41964 OpenSSL: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
openvpn[21369]: x.x.x.x:41964 TLS_ERROR: BIO read tls_read_plaintext error
openvpn[21369]: x.x.x.x:41964 TLS Error: TLS object -> incoming
plaintext read error
openvpn[21369]: x.x.x.x:41964 TLS Error: TLS handshake failed
openvpn[21369]: x.x.x.x:41964 SIGUSR1[soft,tls-error] received,
client-instance restarting
removing //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED from config.patch
client:
The certificate is signed with an unacceptable key (eg bad curve, RSA
too short). as per :
"mbed TLS builds: minimum RSA key size is now 2048 bits. Shorter keys
will not be accepted, both local and from the peer."
and after the update of the keys:
Control Channel: TLSv1.2, cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384,
2048 bit key
regards
More information about the Lede-dev
mailing list