Hi Lucian, Martin
On 25.12.2016 14.23, Martin Blumenstingl wrote:
I guess this worked on LEDE with PolarSSL with OpenVPN 2.3:
#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
while
//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
can you tell if I ran into some corner case (the affected server was
using OpenVPN 2.3.14, most probably with OpenSSL backend) or if this
is a real problem?
On 27.12.2016 17.37, Lucian Cristian wrote:
server:
OpenVPN 2.3.13 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL]
[PKCS11] [MH] [IPv6] built on Nov 3 2016
openvpn[21369]: x.x.x.x:41964 OpenSSL: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
openvpn[21369]: x.x.x.x:41964 TLS_ERROR: BIO read tls_read_plaintext error
openvpn[21369]: x.x.x.x:41964 TLS Error: TLS object -> incoming
plaintext read error
openvpn[21369]: x.x.x.x:41964 TLS Error: TLS handshake failed
removing //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED from config.patch
client:
Control Channel: TLSv1.2, cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384,
2048 bit key
As Lucian already shared, enabling DHE-RSA exchange support in mbed TLS
does fix compaitiblity with OpenVPN 2.3-openssl servers (turns out with
OpenSSL, openvpn --show-tls lies a lot). I've confirmed that OpenVPN
2.4-mbedtls with this change can connect to OpenVPN-openssl 2.3.0 and
2.3.14.
I also discovered an issue connecting to OpenVPN-openssl 2.4 servers
during this, and have sent a patch for this as well.
Thanks for reporting and testing.
/Magnus
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev