Hi, On 7 August 2018 at 12:29, Eike Lohmann <e.lohm...@ic3s.de> wrote: > Old 3DES: > > TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA > TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA > > openssl 1.0.2l does not support it anymore. > openssl ciphers -v 'ALL:eNULL'|grep DES -> nothing
So this explains why these are rejected, thanks for sharing. > but > > openssl ciphers -v 'ALL:eNULL'|grep DSS -> > > DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 > and it should be IANA"TLS-DHE-DSS-WITH-AES-256-CBC-SHA" > > If I set this with tls-cipher in server and client, it fails with: > > server side: > Aug 7 12:27:14 rfip-ovpnbb-3.mdex.de ovpn-fixedip[14340]: 172.17.35.10:32844 > TLS error: The server has no TLS ciphersuites in common with the client. Your > --tls-cipher setting might be too restrictive. > > Client side: > nothing after "Tue Aug 7 12:27:06 2018 TLS: Initial packet from..." Did you also change the server certificate to a DSA certificate? The DSS cipher suites only work with DSA server certificates. -Steffan _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
