2017-01-14 20:43:07 *Tunnelblick: This computer's apparent public IP address changed from XXX before connection to YYYafter connection
2017-01-14 20:46:35 TLS: soft reset sec=-223 bytes=90536622/67108864 pkts=105802/0
2017-01-14 20:46:35 *Tunnelblick: Obtained VPN username and password from the Keychain
2017-01-14 20:46:35 MANAGEMENT: CMD 'username "Auth" "XXXX"'
2017-01-14 20:46:35 MANAGEMENT: CMD 'password [...]'
2017-01-14 20:46:44 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=proXPN Direct, LLC, OU=proxpn.com, CN=proxpn.com, name=proxpn.com, emailAddress=X
2017-01-14 20:46:44 Validating certificate key usage
2017-01-14 20:46:44 ++ Certificate has key usage 00a0, expects 00a0
2017-01-14 20:46:44 VERIFY KU OK
2017-01-14 20:46:44 Validating certificate extended key usage
2017-01-14 20:46:44 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-01-14 20:46:44 VERIFY EKU OK
2017-01-14 20:46:44 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=proXPN Direct, LLC, OU=proxpn.com, CN=proxpn.com, name=proxpn.com, emailAddress=X
2017-01-14 20:46:45 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 48042'
2017-01-14 20:46:45 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 48000'
2017-01-14 20:46:45 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 512 bit key
2017-01-14 20:46:45 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
2017-01-14 20:46:45 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-01-14 20:46:45 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 512 bit key
2017-01-14 20:46:45 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
2017-01-14 20:46:45 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-01-14 20:46:45 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
nothing else; the icon keeps blinking.
I get that message in the logs ONCE and ONLY ONCE per connection; it doesn't happen ever again, no matter how much data I transfer.
Thanks.
Hello,some context:Tunnelblick 3.6.9 on macOS SierraI'm using a VPN service which is stuck with BF-CBC algorithm (proxpn) which is vulnerable to the SWEET32 attack; I have read that a decent workaround to this issue is limiting the amount of bytes which are exchanged before key renegotiation; so I added the reneg-bytes option to my client configuration (I have read that is not necessary on modern openvpn clients, but since I use the vpn from different boxes I wanted. The full config (excluding endpoints and certs, which should not matter here) is:
--
You received this message because you are subscribed to a topic in the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tunnelblick-discuss/HTodmWoBaR0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tunnelblick-discuss+unsub...@googlegroups.com.
Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.
2017-01-20 10:46:22 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=proXPN Direct, LLC, OU=proxpn.com, CN=proxpn.com, name=proxpn.com, emailAddress=support@proxpn.com
2017-01-20 10:46:22 Validating certificate key usage2017-01-20 10:46:22 ++ Certificate has key usage 00a0, expects 00a02017-01-20 10:46:22 VERIFY KU OK2017-01-20 10:46:22 Validating certificate extended key usage2017-01-20 10:46:22 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication2017-01-20 10:46:22 VERIFY EKU OK
2017-01-20 10:46:22 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=proXPN Direct, LLC, OU=proxpn.com, CN=proxpn.com, name=proxpn.com, emailAddress=support@proxpn.com
2017-01-20 10:52:52 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=proXPN Direct, LLC, OU=proxpn.com, CN=proxpn.com, name=proxpn.com, emailAddress=support@proxpn.com
2017-01-20 10:52:52 Validating certificate key usage2017-01-20 10:52:52 ++ Certificate has key usage 00a0, expects 00a02017-01-20 10:52:52 VERIFY KU OK2017-01-20 10:52:52 Validating certificate extended key usage2017-01-20 10:52:52 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication2017-01-20 10:52:52 VERIFY EKU OK
2017-01-20 10:52:52 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=proXPN Direct, LLC, OU=proxpn.com, CN=proxpn.com, name=proxpn.com, emailAddress=support@proxpn.com
To unsubscribe from this group and all its topics, send an email to tunnelblick-discuss+unsubscribe...@googlegroups.com.
Hello, I tried removing the user nobody/group nobody from the configuration, but the issue seems totally unrelated. I've updated to tunnelblick 3.6.10 as well, and the issue persists. The full diagnostic log follows:*Tunnelblick: OS X 10.12.2; Tunnelblick 3.6.10 (build 4760); prior version 3.6.9 (build 4685); Admin usergit commit 9f798839bcb9c9aaaa46591e672280e6bee491a4
2017-01-21 06:40:56 MANAGEMENT: >STATE:1484998856,CONNECTED,SUCCESS,***,***,***,,
2017-01-21 06:41:01 *Tunnelblick process-network-changes: A system configuration change was ignored
2017-01-21 06:41:04 *Tunnelblick: This computer's apparent public IP address changed from *** before connection to *** after connection
First renegotiation:
2017-01-21 06:41:50 TLS: soft reset sec=3540 bytes=5165681/5108864 pkts=7413/0
2017-01-21 06:41:50 VERIFY OK: depth=1, C=GB, ST=LN, L=LONDON, O=m7VPN, CN=m7VPN-CA, emailAddress=***
2017-01-21 06:41:50 VERIFY OK: nsCertType=SERVER
2017-01-21 06:41:50 VERIFY OK: depth=0, C=GB, ST=LN, O=m7VPN, CN=server, emailAddress=***
2017-01-21 06:41:50 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 56 bit key
2017-01-21 06:41:50 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-01-21 06:41:50 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-01-21 06:41:50 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 56 bit key
2017-01-21 06:41:50 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-01-21 06:41:50 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-01-21 06:41:50 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
2017-01-21 06:44:35 TLS: soft reset sec=3435 bytes=5743631/5108864 pkts=6380/0
2017-01-21 06:44:35 VERIFY OK: depth=1, C=GB, ST=LN, L=LONDON, O=m7VPN, CN=m7VPN-CA, emailAddress=***
2017-01-21 06:44:35 VERIFY OK: nsCertType=SERVER
2017-01-21 06:44:35 VERIFY OK: depth=0, C=GB, ST=LN, O=m7VPN, CN=server, emailAddress=***
2017-01-21 06:44:35 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 56 bit key
2017-01-21 06:44:35 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-01-21 06:44:35 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-01-21 06:44:35 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 56 bit key
2017-01-21 06:44:35 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-01-21 06:44:35 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-01-21 06:44:35 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
2017-01-21 06:44:41 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
--
You received this message because you are subscribed to a topic in the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tunnelblick-discuss/HTodmWoBaR0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tunnelblick-discuss+unsub...@googlegroups.com.
2021-04-22 07:51:46.681947 ERROR: could not read Auth username/password/ok/string from management interface
Any idea how to fix it? It was ok with all the 8 betas of 11.3
Thanks
L: