openvpn tls 1.2

Openvpn cant establish connection with any tls 1.2 cipher.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

I would like to know if anyone else is able to get it working. (And if so which cipher suite)

Yes i use the current version 2.3.6, compiled from source. Tried with various linux distros and windows clients.

As described in the link below the ciphers should be working with openvpn. https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher

This is the error i'm presented with at the client:

[... Desktop]$ sudo openvpn home.ovpn 
Sat Jan 24 15:18:28 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 24 2015
Sat Jan 24 15:18:28 2015 library versions: OpenSSL 1.0.1l 15 Jan 2015, LZO 2.08
Sat Jan 24 15:18:28 2015 WARNING: file 'home/client1.key' is group or others accessible
Sat Jan 24 15:18:28 2015 WARNING: file 'home/ta.key' is group or others accessible
Sat Jan 24 15:18:28 2015 Control Channel Authentication: using 'home/ta.key' as a OpenVPN static key file
Sat Jan 24 15:18:28 2015 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jan 24 15:18:28 2015 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jan 24 15:18:28 2015 Attempting to establish TCP connection with [AF_INET]192.168.1.67:1194 [nonblock]
Sat Jan 24 15:18:29 2015 TCP connection established with [AF_INET]192.168.1.67:1194
Sat Jan 24 15:18:29 2015 TCPv4_CLIENT link local: [undef]
Sat Jan 24 15:18:29 2015 TCPv4_CLIENT link remote: [AF_INET]192.168.1.67:1194
Sat Jan 24 15:18:29 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
Sat Jan 24 15:18:29 2015 TLS Error: TLS object -> incoming plaintext read error
Sat Jan 24 15:18:29 2015 TLS Error: TLS handshake failed
Sat Jan 24 15:18:29 2015 Fatal TLS error (check_tls_errors_co), restarting
Sat Jan 24 15:18:29 2015 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 24 15:18:30 2015 SIGINT[hard,init_instance] received, process exiting

Server Log: http://pastebin.com/DKR76FAy

Same question appeared once before: https://security.stackexchange.com/questions/73448/tls-authentication-on-openvpn-server

________________

Partial Solution:

tls-version-min 1.2

By adding this line to client and server config you get the 128-bit cipher suites working. The 256-bit variants still don't succeed.

misterix

Posted 2015-01-24T14:37:35.530

Reputation: 11

Answers

I have TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 working just fine (on 2.3.6 compiled from source on Arch Linux).

However, it seems that OpenVPN requires the tls-version-min 1.2 setting in both the server config and the client config. As soon as I remove it, I get the exact same error.

Fleche

Posted 2015-01-24T14:37:35.530

Reputation: 111

Indeed, when adding tls-version-min 128bit works. Still the first (and most secure) ciphers dont work, thats why i won't mark it as resolved. – None – 2015-01-24T16:47:13.767

The 256 bit ciphers are hardly more secure. A bigger number may look more impressive than a smaller number, but I'm not aware of any real-world benefit whatsoever that AES-192 or AES-256 have over AES-128. In fact, AES-128 is still beyond the capabilities of anybody. Do you have information to the contrary? – Fleche – 2015-01-24T22:50:17.850

Everybody is entitled to their own level of paranoia. And a bigger key size is a way to prepare for quantum computation. – misterix – 2015-01-27T16:06:02.767

On the server's logs I can see only on cipher enabled:

cipher_list = 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'

Maybe the server configuration should be edited to add the supplementary expected cipher lists.

WhiteWinterWolf

Posted 2015-01-24T14:37:35.530

Reputation: 181

I activated only one cipher at a time. The same one on client and server. But i tried all four i listed above. – None – 2015-01-24T15:37:45.317