Hi Lucian, Martin

On 25.12.2016 14.23, Martin Blumenstingl wrote:
I guess this worked on LEDE with PolarSSL with OpenVPN 2.3:
#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
while
//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED

can you tell if I ran into some corner case (the affected server was
using OpenVPN 2.3.14, most probably with OpenSSL backend) or if this
is a real problem?

On 27.12.2016 17.37, Lucian Cristian wrote:
server:

OpenVPN 2.3.13 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL]
[PKCS11] [MH] [IPv6] built on Nov  3 2016
openvpn[21369]: x.x.x.x:41964 OpenSSL: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
openvpn[21369]: x.x.x.x:41964 TLS_ERROR: BIO read tls_read_plaintext error
openvpn[21369]: x.x.x.x:41964 TLS Error: TLS object -> incoming
plaintext read error
openvpn[21369]: x.x.x.x:41964 TLS Error: TLS handshake failed

removing //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED from config.patch

client:
 Control Channel: TLSv1.2, cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384,
2048 bit key

As Lucian already shared, enabling DHE-RSA exchange support in mbed TLS does fix compaitiblity with OpenVPN 2.3-openssl servers (turns out with OpenSSL, openvpn --show-tls lies a lot). I've confirmed that OpenVPN 2.4-mbedtls with this change can connect to OpenVPN-openssl 2.3.0 and 2.3.14.

I also discovered an issue connecting to OpenVPN-openssl 2.4 servers during this, and have sent a patch for this as well.

Thanks for reporting and testing.
/Magnus

_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Reply via email to