TLS handshake failed

[tadrim]

Hi everyone,

I'm getting TLS errors in windows when I run the configuration on Linux it works fine so unsure what's occurring!

The error I'm getting:

Mon Aug 24 16:48:35 2015 VERIFY OK:
Mon Aug 24 16:48:35 2015 VERIFY OK: nsCertType=SERVER
Mon Aug 24 16:48:35 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
Mon Aug 24 16:48:35 2015 TLS Error: TLS object -> incoming plaintext read error
Mon Aug 24 16:48:35 2015 TLS Error: TLS handshake failed
Mon Aug 24 16:48:35 2015 Fatal TLS error (check_tls_errors_co), restarting

It connects fine with a Linux OS but when you try to connect via Windows it just keeps repeating the error

Client config

client
dev tun
proto tcp
remote (obscured) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert tadrim.crt
key tadrim.key
auth-nocache
ns-cert-type server
comp-lzo
verb 3

I have tried putting in the full path for the certs etc and still get the same error

[maikcat]

are you using the SAME configs/certs/openvpn ver?

Michael.

[tadrim]

Hi There,

Yes I have also generated new configs/certs to see if that is the issue but still get the same error on windows - works okay on Linux, the client is using the latest openvpn ver.

[tadrim]

Hi Maikcat,


Yes I am using the same configs/certs and openvpn version - apart from changing the directory of the cert files.

[maikcat]

which windows version do you have?
which openvpn version do you use on win?

please post complete server/client logs.

Michael.

[tadrim]

Hi There,

the version is:
OpenVPN 2.3.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jul 9 2015
Thu Aug 27 12:58:02 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08

Here is the server log:

TLS: Initial packet from xxxx
VERIFY OK: details
VERIFY OK: nsCertType=SERVER
VERIFY OK: details
TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, process restarting
MANAGEMENT: >STATE:1440677050,RECONNECTING,tls-error,,
Restart pause, 5 second(s)

and here is the client log:

MULTI: multi_create_instance called
Re-using SSL/TLS context
LZO compression initialized
Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): 'c0103fa8'
Expected Remote Options hash (VER=V4): '69109d17'
TCP connection established with (ipaddress):64448
TCPv4_SERVER link local: [undef]
TCPv4_SERVER link remote: (ipaddress):64448
(ipaddress):64448 TLS: Initial packet from (ipaddress):64448, sid=b991999d 259a72c5
(ipaddress):64448 Connection reset, restarting [0]
(ipaddress):64448 SIGUSR1[soft,connection-reset] received, client-instance restarting
TCP/UDP: Closing socket

[Traffic]

Here is the server log:

TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

Please see this:
topic19384-15.html#p53874

[tadrim]

Hi,

Thanks for the reply, unfortunately i'm not using one of the routers mentioned, it is also strange how i am able to connect with a Linux machine but not a windows 8

[Traffic]

I believe you have your logs back to front:

here is the client log:

MULTI: multi_create_instance called

This indicates it is a server log not client log.

the server log:

TLS: Initial packet from xxxx
VERIFY OK: details
VERIFY OK: nsCertType=SERVER

This indicates it is a client log not server log.

What is your server and what version of openvpn do you use on the server ?

Did you create your own DH file (server: /etc/openvpn/dh.pem) ?

[tadrim]

Hi There,

Yes I'm using my own DH file and the server is Centos 5.11, could you guide me on how to establish the openVPN version?
Another side question do you have to reload the configuration file after you update it? - tempted to create another dh key.

The windows client is OpenVPN 2.3.7

[Traffic]

server is Centos 5.11, could you guide me on how to establish the openVPN version?

Code: Select all

$ openvpn --version

do you have to reload the configuration file after you update it?

Yes .. best to stop & start openvpn completely.

Yes I'm using my own DH file

Did you edit vars file for correct parameters and source the file ?

tempted to create another dh key.

If you do I recommend using this EASY-RSA:
https://github.com/OpenVPN/easy-rsa/releases

[tadrim]

Hi there,

Unfortunately the command doesn't appear to give anything back :

openvpn --version
-bash: openvpn: command not found


yes I edited vars and updated the .conf file with the new DH key, going to restart later at some point hopefully it goes well.