Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I manage the error "OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol"? [closed]

While trying to connect to a VPN via openvpn I get the following error from openssl

Tue Oct 30 11:34:16 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
... several more lines
Tue Oct 30 11:34:17 2018 OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Tue Oct 30 11:34:17 2018 TLS_ERROR: BIO read tls_read_plaintext error
Tue Oct 30 11:34:17 2018 TLS Error: TLS object -> incoming plaintext read error
Tue Oct 30 11:34:17 2018 TLS Error: TLS handshake failed
Tue Oct 30 11:34:17 2018 SIGUSR1[soft,tls-error] received, process restarting
Tue Oct 30 11:34:17 2018 Restart pause, 5 second(s)

This error does not arise when using OpenSSL 1.1.0h.

  • Why does this error arise after upgrading the openssl libraries?
  • How do I manage around this recurring problem?
  • Is there a way to make this work by giving some flags to openvpn CLI instead of downgrading openssl?

OS: Debian Sid

like image 548
Marcus Avatar asked Oct 30 '18 06:10

Marcus


3 Answers

You don't have to downgrade OpenSSL or change the system default.

Instead of modifying /etc/ssl/openssl.cnf you can just configure the openvpn client to configure libssl with a different minimum protocol version. The option is --tls-version-min or tls-version-min in a config file.

It's still preferable to upgrade the server but this is a better way to deal with a temporary version skew.

like image 115
Edward Allcutt Avatar answered Nov 17 '22 08:11

Edward Allcutt


You don't have to downgrade OpenSSL.

With the introduction of openssl version 1.1.1 in Debian the defaults are set to more secure values by default. This is done in the /etc/ssl/openssl.cnf config file. At the end of the file there is:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

Debian now require as minimum the TLS 1.2 version instead TLS 1.0. If the other side does not support TLS 1.2 or higher you will get some connection errors.

I recommend upgrade openvpn on server to newer version which support TLS 1.2..

Second options (not much secure) is modify MinProcotol to TLSv1 or TLSv1.1.

like image 41
Petr Duchek Avatar answered Nov 17 '22 08:11

Petr Duchek


You can even directly override the system default e.g. by using:

tls-cipher "DEFAULT:@SECLEVEL=1"

to have a basic configuration that matches normal OpenSSL defaults. Note that OpenVPN normally sets a more restricted cipher list (see man page).

like image 3
plaisthos Avatar answered Nov 17 '22 08:11

plaisthos