Tunnelblick and TLSv1.2 ciphers

[jon.m...@gmail.com]

I'm having some trouble getting Tunnelblick (v3.4beta36) working with TLSv1.2 ciphers using openvpn 2.3.4 on my MBP (Mavericks).

In my client config I define the following:

client
dev tun
proto udp
remote vpn.domain.com 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
pkcs user.p12
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
comp-lzo
verb 3

When I try connect to the server it tries reconnecting multiple times a second and the logs fill up with the following over and over again:

2014-09-19 20:37:03 MANAGEMENT: >STATE:1411151823,WAIT,,,
2014-09-19 20:37:03 TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
2014-09-19 20:37:03 TLS Error: TLS object -> incoming plaintext read error
2014-09-19 20:37:03 TLS Error: TLS handshake failed
2014-09-19 20:37:03 SIGUSR1[soft,tls-error] received, process restarting
2014-09-19 20:37:03 MANAGEMENT: >STATE:1411151823,RECONNECTING,tls-error,,
2014-09-19 20:37:03 MANAGEMENT: CMD 'hold release'
2014-09-19 20:37:03 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2014-09-19 20:37:03 Socket Buffers: R=[196724->65536] S=[9216->65536]
2014-09-19 20:37:03 MANAGEMENT: >STATE:1411151823,RESOLVE,,,
2014-09-19 20:37:03 UDPv4 link local: [undef]
2014-09-19 20:37:03 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194

Theses cyphers are present in the --show-tls list, however I still get SSL3_CLIENT_HELLO:no ciphers available. Does this mean it's still trying to use SSLv3/TLSv1.0? That would make sense considering these ciphers are TLSv1.2 only. Am I missing a directive to force TLSv1.2?

To be clear, the remote server isn't even running when I tested this, so this isn't a ciphersuite mismatch error between the server and the client.

Is there something I'm missing here?

[jkbull...gmail.com]

This is really an OpenVPN question -- you should consult with OpenVPN sources such as:

• OpenVPN FAQ
• OpenVPN HOWTO
• OpenVPN 2.3 Man Page
• OpenVPN Documentation
• OpenVPN Users Forum
• OpenVPN Users Mailing List

You should also make sure the ciphers are present in the copy of OpenVPN that you are using, located in

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.4/openvpn

Also, the use of "user nobody" and "group nobody" may cause problems if/when OpenVPN needs to restart the connection. If any routing is done by OpenVPN (as is usually the case) it cannot be restored and/or recreated when these options are used.

[jon.m...@gmail.com]

I'm not so sure this is a OpenVPN question considering the same tls-cipher directive works on the server (OVPN 2.3.4 on Debian 7). 

But going with that assumption, and forgive my ignorance, but does OVPN pull the OpenSSL libraries in at compile time or does it used the host's OpenSSL library at runtime? Asking cuz I know that Mavericks ships with OpenSSL 0.9.8y which has no support for TLSv1.2 ciphers.

And yes, I checked the available ciphers using the binary located at /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.4/openvpn

I also know about the problems of using user/group nobody, that however is not what I'm asking about here. Also running a service as root (post setup) is a bad idea, someone gets code execution through a vulnerability on OVPN and they have root on the box.

[jkbull...gmail.com]

Sorry -- when you asked "Am I missing a directive to force TLSv1.2?", I interpreted "directive" as a reference to an OpenVPN option, which would make it an OpenVPN question.

Tunnelblick builds OpenSSL libraries and links them to its OpenVPN binaries when Tunnelblick is built. It does not "pull" the OpenSSL source (or any other source) at build time; Tunnelblick's source includes a version of the OpenSSL source code (and all other third-party source code). Currently, OpenSSL version 1.0.1i is included.

Since it works on Debian, it could be a problem in the way that Tunnelblick builds OpenSSL into OpenVPN, or it could be a problem in OpenSSL or OpenVPN that only shows up under OS X and/or on your hardware.

The Tunnelblick build expert has privately offered to look into it.

[Molina-Bulla Harold]

Hi Jon

In order to works with TLSv1.2, add the follow line in the configuration file:

tls-version-min 1.2

in both server and client. Otherwise it will not work.

This problem is not only present in Tunnelblick’s openvpn program. It is present in Linux versions too.

Best regards

H.

-----------------------------------------------------------------
- "¿Existe el Gran Hermano?" - Winston
- "Claro que existe. El Partido existe. El Gran Hermano es la 
  encarnación del partido." - O'Brien
- "¿Existe en el mismo sentido en que yo existo?" - Winston
- "Tú no existes." - O'Brien 

George Orwell (1984)
-----------------------------------------------------------------
Recuerda: PRISM te está vigilando!!! X)
Y tu no existes!!!
-----------------------------------------------------------------
Harold Molina-Bulla Ph.D.
h.mo...@gmail.org
Clave GnuPG: D727746B

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.
Visit this group at http://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

[Jonathan Coetzee]

That did it! Thanks a lot, that was driving me mad.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-discuss+unsub...@googlegroups.com.

[joseph....@selerityfinancial.com]

THANK YOU!!!!