Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1012075: openvpn: OpenVPN - Debian/SID release '2.6.0~git20220518+dco-1' breaks connection buildup
191 views
Skip to first unread message
Henrik Schöpel
May 29, 2022, 2:30:05 PM5/29/22
to
Package: openvpn
Version: 2.5.6-1
Severity: important
Dear Debian OpenVPN Maintenaner,
This is a pretty serious bug as it breaks the usage of VPN.
The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1'
won't connect due to TLS errors during connection attempts.
Only downgrade to version '2.5.6-1' solves the issue.
I had to blur some characters like IP adresses. Destination is Sophos UTM
Appliances.
I attached a textfile which compare both outputs of each release.
Best regards,
Henrik
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openvpn depends on:
ii debconf [debconf-2.0] 1.5.79
ii iproute2 5.17.0-2
ii libc6 2.33-7
ii liblz4-1 1.9.3-2
ii liblzo2-2 2.10-2
ii libpam0g 1.4.0-13
ii libpkcs11-helper1 1.28-1+b1
ii libssl1.1 1.1.1o-1
ii libsystemd0 251.1-1
ii lsb-base 11.2
Versions of packages openvpn recommends:
ii easy-rsa 3.0.8-1
Versions of packages openvpn suggests:
ii openssl 3.0.3-5
pn openvpn-systemd-resolved <none>
pn resolvconf <none>
-- debconf information:
openvpn/create_tun: false
Version: 2.5.6-1
Severity: important
Dear Debian OpenVPN Maintenaner,
This is a pretty serious bug as it breaks the usage of VPN.
The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1'
won't connect due to TLS errors during connection attempts.
Only downgrade to version '2.5.6-1' solves the issue.
I had to blur some characters like IP adresses. Destination is Sophos UTM
Appliances.
I attached a textfile which compare both outputs of each release.
Best regards,
Henrik
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openvpn depends on:
ii debconf [debconf-2.0] 1.5.79
ii iproute2 5.17.0-2
ii libc6 2.33-7
ii liblz4-1 1.9.3-2
ii liblzo2-2 2.10-2
ii libpam0g 1.4.0-13
ii libpkcs11-helper1 1.28-1+b1
ii libssl1.1 1.1.1o-1
ii libsystemd0 251.1-1
ii lsb-base 11.2
Versions of packages openvpn recommends:
ii easy-rsa 3.0.8-1
Versions of packages openvpn suggests:
ii openssl 3.0.3-5
pn openvpn-systemd-resolved <none>
pn resolvconf <none>
-- debconf information:
openvpn/create_tun: false
Bernhard Schmidt
May 30, 2022, 5:40:03 AM5/30/22
to
Control: tags -1 moreinfo
Hi Henrik,
> The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1'
> won't connect due to TLS errors during connection attempts.
> Only downgrade to version '2.5.6-1' solves the issue.
Have you followed up on the multiple warnings and notes from the log?
2022-05-29 19:07:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305).
OpenVPN ignores --cipher for cipher negotiations.
2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically
indicates that client and server have no common TLS version enabled.
This can be caused by mismatched tls-version-min and tls-version-max
options on client and server. If your OpenVPN client is between v2.3.6
and v2.3.2 try adding tls-version-min 1.0 to the client configuration to
use TLS 1.0+ instead of TLS 1.0 only
2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported
protocol
Please also check up on all items in
https://github.com/OpenVPN/openvpn/blob/dco/Changes.rst .
From your working log
2022-05-29 19:14:10 Control Channel: TLSv1, cipher SSLv3
DHE-RSA-AES256-SHA, peer certificate: 2048 bit RSA, signature: RSA-SHA256
TLSv1 means TLSv1.0 means very very deprecated.
>
> I had to blur some characters like IP adresses. Destination is Sophos UTM
> Appliances.
Is that Sophos up to date?
Bernhard
Hi Henrik,
> The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1'
> won't connect due to TLS errors during connection attempts.
> Only downgrade to version '2.5.6-1' solves the issue.
2022-05-29 19:07:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305).
OpenVPN ignores --cipher for cipher negotiations.
2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically
indicates that client and server have no common TLS version enabled.
This can be caused by mismatched tls-version-min and tls-version-max
options on client and server. If your OpenVPN client is between v2.3.6
and v2.3.2 try adding tls-version-min 1.0 to the client configuration to
use TLS 1.0+ instead of TLS 1.0 only
2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported
protocol
Please also check up on all items in
https://github.com/OpenVPN/openvpn/blob/dco/Changes.rst .
From your working log
2022-05-29 19:14:10 Control Channel: TLSv1, cipher SSLv3
DHE-RSA-AES256-SHA, peer certificate: 2048 bit RSA, signature: RSA-SHA256
TLSv1 means TLSv1.0 means very very deprecated.
>
> I had to blur some characters like IP adresses. Destination is Sophos UTM
> Appliances.
Bernhard
Henrik Schöpel
Jun 9, 2022, 1:30:03 PM6/9/22
to
Hello Bernhard,
Sorry for my late reply.
The XG550 is running Firmware "SFOS 17.5.14 MR-14-1". It fall out of
support end of 2021. I was in discussion with our network guys to
upgrade the Firmware to latest version. As this Sophos XGs are running
in HA Mode and cost 40k each we can't do this without proper testing
etc...So we plan to replace them with brand new Fortinets in the IDC.
Sophos Tech support couldn't provide us any hint if this could be fixed
in this 17.5 FW Release as it's not under support anymore.
I couldn't see any information regarding new TLS encryption functions
in 18.x FW Release but i guess they fixed it. I could reply in 2-3
months once we have the Fortinets in place and proberly configured.
One thing is very strange here. The Windows OpenVPN client in version
2.6 works fine compare to the Linux client. So there might be something
else in the client source code ?
I guess we can close this ticket for the moment ?
Best regards,
Henrik
On Mon, 30 May 2022 11:18:41 +0200 Bernhard Schmidt <be...@debian.org>
wrote:
Sorry for my late reply.
The XG550 is running Firmware "SFOS 17.5.14 MR-14-1". It fall out of
support end of 2021. I was in discussion with our network guys to
upgrade the Firmware to latest version. As this Sophos XGs are running
in HA Mode and cost 40k each we can't do this without proper testing
etc...So we plan to replace them with brand new Fortinets in the IDC.
Sophos Tech support couldn't provide us any hint if this could be fixed
in this 17.5 FW Release as it's not under support anymore.
I couldn't see any information regarding new TLS encryption functions
in 18.x FW Release but i guess they fixed it. I could reply in 2-3
months once we have the Fortinets in place and proberly configured.
One thing is very strange here. The Windows OpenVPN client in version
2.6 works fine compare to the Linux client. So there might be something
else in the client source code ?
I guess we can close this ticket for the moment ?
Best regards,
Henrik
On Mon, 30 May 2022 11:18:41 +0200 Bernhard Schmidt <be...@debian.org>
wrote:
Mikhail Arefiev
Jul 23, 2022, 6:10:03 PM7/23/22
to
I am also suffering from this issue with 2.6.0~git20220518+dco-2 (I have added the parameters as advised by Bernhard) (the error is the same for both TCP and UDP):
gris@tulip: ~% sudo openvpn --cipher AES-128-CBC --data-ciphers AES-128-CBC --config /root/premisg4.vpnjantit.com/premisg4.vpnjantit-tcp-8080.ovpn
2022-07-24 00:50:08 Cannot find ovpn_dco netlink component: Object not found
2022-07-24 00:50:08 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2022-07-24 00:50:08 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 30 2022
2022-07-24 00:50:08 library versions: OpenSSL 3.0.4 21 Jun 2022, LZO 2.10
2022-07-24 00:50:08 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2022-07-24 00:50:08 NOTE: --fast-io is disabled since we are not using UDP
2022-07-24 00:50:08 TCP/UDP: Preserving recently used remote address: [AF_INET]188.166.212.168:8080
2022-07-24 00:50:08 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-07-24 00:50:08 Attempting to establish TCP connection with [AF_INET]188.166.212.168:8080
2022-07-24 00:50:09 TCP connection established with [AF_INET]188.166.212.168:8080
2022-07-24 00:50:09 Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92)
2022-07-24 00:50:09 TCP_CLIENT link local: (not bound)
2022-07-24 00:50:09 TCP_CLIENT link remote: [AF_INET]188.166.212.168:8080
2022-07-24 00:50:09 TLS: Initial packet from [AF_INET]188.166.212.168:8080, sid=04c70371 12da42fb
2022-07-24 00:50:09 VERIFY OK: depth=0, CN=premi4.vpnjantit.com, O=premi4.vpnjantit.com, OU=premi4.vpnjantit.com, C=US
2022-07-24 00:50:09 OpenSSL: error:0A0C0103:SSL routines::internal error
2022-07-24 00:50:09 TLS_ERROR: BIO read tls_read_plaintext error
2022-07-24 00:50:09 TLS Error: TLS object -> incoming plaintext read error
2022-07-24 00:50:09 TLS Error: TLS handshake failed
2022-07-24 00:50:09 Fatal TLS error (check_tls_errors_co), restarting
2022-07-24 00:50:09 SIGUSR1[soft,tls-error] received, process restarting
2022-07-24 00:50:09 Restart pause, 5 second(s)
^C2022-07-24 00:50:11 SIGINT[hard,init_instance] received, process exiting
However this unfortunately very deprecated setting still works just fine with 2.5.1-3. I also reported TLS 1.0 to the service provider
--
Best regards,
Mikhail Arefiev
Yandex NOC Software Development
m-ar...@yandex-team.ru
+7 909 160 8668
gris@tulip: ~% sudo openvpn --cipher AES-128-CBC --data-ciphers AES-128-CBC --config /root/premisg4.vpnjantit.com/premisg4.vpnjantit-tcp-8080.ovpn
2022-07-24 00:50:08 Cannot find ovpn_dco netlink component: Object not found
2022-07-24 00:50:08 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2022-07-24 00:50:08 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 30 2022
2022-07-24 00:50:08 library versions: OpenSSL 3.0.4 21 Jun 2022, LZO 2.10
2022-07-24 00:50:08 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2022-07-24 00:50:08 NOTE: --fast-io is disabled since we are not using UDP
2022-07-24 00:50:08 TCP/UDP: Preserving recently used remote address: [AF_INET]188.166.212.168:8080
2022-07-24 00:50:08 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-07-24 00:50:08 Attempting to establish TCP connection with [AF_INET]188.166.212.168:8080
2022-07-24 00:50:09 TCP connection established with [AF_INET]188.166.212.168:8080
2022-07-24 00:50:09 Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92)
2022-07-24 00:50:09 TCP_CLIENT link local: (not bound)
2022-07-24 00:50:09 TCP_CLIENT link remote: [AF_INET]188.166.212.168:8080
2022-07-24 00:50:09 TLS: Initial packet from [AF_INET]188.166.212.168:8080, sid=04c70371 12da42fb
2022-07-24 00:50:09 VERIFY OK: depth=0, CN=premi4.vpnjantit.com, O=premi4.vpnjantit.com, OU=premi4.vpnjantit.com, C=US
2022-07-24 00:50:09 OpenSSL: error:0A0C0103:SSL routines::internal error
2022-07-24 00:50:09 TLS_ERROR: BIO read tls_read_plaintext error
2022-07-24 00:50:09 TLS Error: TLS object -> incoming plaintext read error
2022-07-24 00:50:09 TLS Error: TLS handshake failed
2022-07-24 00:50:09 Fatal TLS error (check_tls_errors_co), restarting
2022-07-24 00:50:09 SIGUSR1[soft,tls-error] received, process restarting
2022-07-24 00:50:09 Restart pause, 5 second(s)
^C2022-07-24 00:50:11 SIGINT[hard,init_instance] received, process exiting
However this unfortunately very deprecated setting still works just fine with 2.5.1-3. I also reported TLS 1.0 to the service provider
Best regards,
Mikhail Arefiev
Yandex NOC Software Development
m-ar...@yandex-team.ru
+7 909 160 8668
0 new messages