No shared TLS ciphers

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
Pestaninha
OpenVpn Newbie
Posts: 4
Joined: Thu Dec 21, 2017 9:41 pm

No shared TLS ciphers

Post by Pestaninha » Thu Dec 21, 2017 9:55 pm

Hi,
I've setup OpenVPN on a freebsd jail. The configuration is working fine on my Mac, with Tunnelblick. However, on my Android, I'm unable to make it work... The connection won't establish and I'm greeted with the following log message on the server:

Code: Select all

Dec 10 19:46:24 openvpn openvpn[91848]: 158...:58013 TLS: Initial packet from [AF_INET]158...:58013, sid=414ce6a3 656a09db
Dec 10 19:46:24 openvpn openvpn[91848]: 158...*:58013 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Dec 10 19:46:24 openvpn openvpn[91848]: 158...*:58013 OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
Dec 10 19:46:24 openvpn openvpn[91848]: 158...*:58013 TLS_ERROR: BIO read tls_read_plaintext error
Dec 10 19:46:24 openvpn openvpn[91848]: 158...*:58013 TLS Error: TLS object -> incoming plaintext read error
Dec 10 19:46:24 openvpn openvpn[91848]: 158...*:58013 TLS Error: TLS handshake failed
The configuration is the following:
Server:

Code: Select all

local 172.16.1.35
port 443
proto udp
dev tun
ca /usr/local/etc/openvpn/pki/ca.crt
cert /usr/local/etc/openvpn/pki/issued/VPNSERVER.crt
key /usr/local/etc/openvpn/pki/private/VPNSERVER.key
dh /usr/local/etc/openvpn/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
push "route 172.16.1.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/pki/private/ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
crl-verify /usr/local/etc/openvpn/easy-rsa/pki/crl.pem
Client:

Code: Select all

client
dev tun
proto udp
remote 172.16.1.35 443
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert cert.crt
key pkey.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
Can anyone help me with this issue? I've already tried to enable the force CBC ciphers option on the client without success... I have also analysed a pcap to check which TLS ciphers were being negotiated and matched the tls-ciphers to one of the proposed ciphers without success.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: No shared TLS ciphers

Post by TinCanTech » Thu Dec 21, 2017 10:11 pm

Try without the --tls-cipher line ..

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: No shared TLS ciphers

Post by ordex » Fri Dec 22, 2017 2:54 pm

TinCanTech is right.

ECDSA is not yet supported in ovpn3 core and thus in OpenVPN Connect for Android. It is on the roadmap, but not yet there. Therefore, if you force using it, there will be no common tls-ciphersuite.

Although TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA should work...

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: No shared TLS ciphers

Post by TiTex » Sat Dec 23, 2017 6:58 am

I'm guessing you have to tick the "Force AES-CBC ciphersuites" in client preferences

Pestaninha
OpenVpn Newbie
Posts: 4
Joined: Thu Dec 21, 2017 9:41 pm

Re: No shared TLS ciphers

Post by Pestaninha » Sun Dec 24, 2017 1:29 am

Damn it, I should have said that I had already tried without the tls-ciphers line. Totally forgot about that...
I have tried to match the ciphers negotiated by openvpn connect with the tls-ciphers line without success.

Could this be an issue with the certificate as well?

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: No shared TLS ciphers

Post by ordex » Sun Dec 24, 2017 11:41 am

I don't think so.
What client are you using on android? what version? I guess the tls-version-min option is what's left that could be creating the issue.

Pestaninha
OpenVpn Newbie
Posts: 4
Joined: Thu Dec 21, 2017 9:41 pm

Re: No shared TLS ciphers

Post by Pestaninha » Wed Dec 27, 2017 2:03 pm

I'm using openvpn connect 1.1.27. I have also tried disabling the tls-version-min from the configuration without success.

Any ideas on how to troubleshoot this?

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: No shared TLS ciphers

Post by TiTex » Wed Dec 27, 2017 3:52 pm

as i said , try
TiTex wrote:
Sat Dec 23, 2017 6:58 am
to tick the "Force AES-CBC ciphersuites" in client preferences

Pestaninha
OpenVpn Newbie
Posts: 4
Joined: Thu Dec 21, 2017 9:41 pm

Re: No shared TLS ciphers

Post by Pestaninha » Thu Dec 28, 2017 1:59 pm

TiTex wrote:
Wed Dec 27, 2017 3:52 pm
as i said , try
TiTex wrote:
Sat Dec 23, 2017 6:58 am
to tick the "Force AES-CBC ciphersuites" in client preferences
Pestaninha wrote:
Thu Dec 21, 2017 9:55 pm
Can anyone help me with this issue? I've already tried to enable the force CBC ciphers option on the client without success...
Did that already...

Post Reply