Am 08.09.2018 um 12:35 schrieb Steffan Karger:
> Hi,
>
> On 7 August 2018 at 12:29, Eike Lohmann <e.lohm...@ic3s.de> wrote:
>> Old 3DES:
>>
>> TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
>> TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
>>
>> openssl 1.0.2l does not support it anymore.
>> openssl ciphers -v 'ALL:eNULL'|grep DES -> nothing
> So this explains why these are rejected, thanks for sharing.
>
>> but
>>
>> openssl ciphers -v 'ALL:eNULL'|grep DSS ->
>>
>> DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
>> and it should be IANA"TLS-DHE-DSS-WITH-AES-256-CBC-SHA"
>>
>> If I set this with tls-cipher in server and client, it fails with:
>>
>> server side:
>> Aug 7 12:27:14 rfip-ovpnbb-3.mdex.de ovpn-fixedip[14340]: 172.17.35.10:32844
>> TLS error: The server has no TLS ciphersuites in common with the client. Your
>> --tls-cipher setting might be too restrictive.
>>
>> Client side:
>> nothing after "Tue Aug 7 12:27:06 2018 TLS: Initial packet from..."
> Did you also change the server certificate to a DSA certificate? The
> DSS cipher suites only work with DSA server certificates.
>
> -Steffan
Nope, thanks for that hint.
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
