SSL - Verification of the message MAC failed while connecting iPad 1

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
formusr
OpenVpn Newbie
Posts: 4
Joined: Sat Apr 14, 2018 8:13 pm

SSL - Verification of the message MAC failed while connecting iPad 1

Post by formusr » Sat Apr 14, 2018 9:26 pm

After updateing my VPN server to OpenVPN 2.4.0 (debian stretch) I’ve got the error message “SSL - Verification of the message MAC failed” on my iPad 1 with iOS version 5.1.1. My iOS OpenVPN app has version 1.1.1 build 212.
I didn’t change my configuration files and my iPad Air with iOS version 10.3.3 is still working with the same configuration. Could anybody tell me, if there is a legacy option, to get the same behaviour like in the old OpenVPN 2.3.4 (debian Jessie)? Do you have any other idea to get my iPad 1 connected again?

Thank you and best regards

Here my config files and loggings for this issue.

My Server Config File

server 192.168.5.0 255.255.255.128
ifconfig-pool-persist ipad/ipp_ipad.txt
push "redirect-gateway def1"
tls-server
dev tun-ipad
client-to-client
proto tcp-server
port XXX
ca ipad/ca.crt
cert ipad/server.crt
key ipad/server.key
crl-verify ipad/crl.pem
dh ipad/dh2048.pem
tls-auth ipad/tls_auth.key
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nogroup
daemon openvpn_ipad
verb 3
script-security 2


My iPad Config File

client
tls-client
dev tun
remote server_name.de
resolv-retry infinite
nobind
proto tcp-client
port XXX
persist-tun
persist-key
user nobody
group nogroup
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>


Here my iPad logging file. You can see the full exception in row 26.
iPad Logging

2018-04-14 22:04:48 Connecting to server_name.de:XXX (XXX.XXX.XXX.XXX) via TCPv4
2018-04-14 22:04:48 EVENT: CONNECTING
2018-04-14 22:04:48 Tunnel Options:V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2018-04-14 22:04:48 Peer Info:
IV_VER=1.0
IV_PLAT=ios
IV_NCP=1
2018-04-14 22:04:48 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : C=DE, ST=SA, L=City, O=Org, OU=extern VPN, CN=client_name CA, 0x29=OpenVPN SSL, emailAddress=client_name@server.homenet
subject name : C=DE, ST=SA, L=City, O=Org, OU=extern VPN, CN=server, 0x29=OpenVPN SSL, emailAddress=info@server.homenet
issued on : 2013-08-29 15:09:16
expires on : 2023-08-27 15:09:16
signed using : RSA+SHA256
RSA key size : 2048 bits
2018-04-14 22:04:48 VERIFY OK: depth=1
cert. version : 3
serial number : BA:A6:99:89:1D:D6:59:46
issuer name : C=DE, ST=SA, L=City, O=Org, OU=extern VPN, CN=client_name CA, 0x29=OpenVPN SSL, emailAddress=client_name@server.homenet
subject name : C=DE, ST=SA, L=City, O=Org, OU=extern VPN, CN=server CA, 0x29=OpenVPN SSL, emailAddress=info@server.homenet
issued on : 2013-08-29 15:08:48
expires on : 2023-08-27 15:08:48
signed using : RSA+SHA256
RSA key size : 2048 bits

2018-04-14 22:04:50 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Verification of the message MAC failed
2018-04-14 22:04:50 Client terminated, restarting in 2...
2018-04-14 22:04:51 EVENT: DISCONNECTED
2018-04-14 22:04:51 Raw stats on disconnect:
BYTES_IN : 8254
BYTES_OUT : 4814
PACKETS_IN : 14
PACKETS_OUT : 16
TCP_CONNECT_ERROR : 2
SSL_ERROR : 2
N_RECONNECT : 3
2018-04-14 22:04:51 Performance stats on disconnect:
CPU usage (microseconds): 2067789
Network bytes per CPU second: 6319
Tunnel bytes per CPU second: 0
2018-04-14 22:04:51 ----- OpenVPN Stop -----

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by TinCanTech » Sun Apr 15, 2018 11:47 am

--tsl-auth requires a direction option.

eg:
  • --tls-auth ta.key 0 or 1 (Usually zero on the server and one on the client)
  • or use --key-direction 0 or 1 (Same as above)
See --tsl-auth & --key-direction in The Manual v24x

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by TinCanTech » Tue Apr 17, 2018 4:29 pm

formusr wrote:
Sat Apr 14, 2018 9:26 pm
my iPad 1 with iOS version 5.1.1. My iOS OpenVPN app has version 1.1.1 build 212.
This is an old version, can you update it or is that not possible ?

formusr
OpenVpn Newbie
Posts: 4
Joined: Sat Apr 14, 2018 8:13 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by formusr » Wed Apr 18, 2018 8:52 pm

Thank you for the reply. First I tried your hint with the key direction, but it didn't helps. Then I removed the tls declarative entirely, but still I've got the error message "Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Verification of the message MAC failed".
By the way, for iPad 1 I cannot install a higher version than 5.1.1. and also for the app I get no offer for a higher version in the app store. Even if I believe that the reason is rather a buggy implemenation in this version, but unfortunately I can only change something on server side. But as I said, with an older version of OpenVPN on server side, it has worked perfectly.
Has maybe somebody any other idea?
Thank you in advance

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by TinCanTech » Wed Apr 18, 2018 9:02 pm

You could downgrade your Openvpn server version:
https://community.openvpn.net/openvpn/w ... twareRepos

You claim it worked before, does work it if you re-install a 2.3 version ?

formusr
OpenVpn Newbie
Posts: 4
Joined: Sat Apr 14, 2018 8:13 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by formusr » Sat Apr 21, 2018 12:04 am

Thanks a lot, now it es working again. I have downgrade to the version in debian jessie.
I'm wondering if I'm now disconnected from the update path of openvpn and openssl. This could lead in serious security trouble. If you got an idea, how I can still get automatic security updates, please let me know.

Because it was not so easy, I documented here in case someone else got the same problem like me.
First create the file /etc/apt/sources.list.d/jessie.list with the following content.
Jessie Config

deb http://httpredir.debian.org/debian jessie main contrib non-free
deb-src http://httpredir.debian.org/debian jessie main contrib non-free
deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free


Now you need to create the file /etc/apt/sources.list.d/openvpn-aptrepo.list with the following content.
Openvpn Config


Then you can install the pubkey of the openvpn repository with this command.
Get pubkey


Then load the new repositories with apt update.
Then install the old version of openssl with apt install openssl/jessie
Then check all available versions of openvpn with apt-cache policy openvpn
Then install the old version of openvpn with this command apt-get install openvpn=2.3.4-5+deb8u2. The version can differ in your case.
Now restart openvpn. You have successfully downgrade both packages

Then lock this version with the following commands. Otherwise you get back to the newest version of these packages with cron-apt.
Lock Version

apt-mark hold openssl
apt-mark hold openvpn


You can check the status of this packages with this command.
State Selection

dpkg --get-selections | grep 'openvpn\|openssl'


With this commands you can check the verions of these packages.
Show Version

openvpn -–version
openssl version

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by TinCanTech » Sun Apr 22, 2018 12:01 am

formusr wrote:
Sat Apr 21, 2018 12:04 am
I have downgrade to the version in debian jessie
You have successfully downgraded your security ..

Please .. do not try this at home.

Openvpn will stop supporting version 2.3 very soon, if not already.

formusr
OpenVpn Newbie
Posts: 4
Joined: Sat Apr 14, 2018 8:13 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by formusr » Mon Apr 23, 2018 9:00 pm

Well, I’m absolutely aware, that this is no solution for long time, but could you give me a hint, how I can solve this issue in version 2.4?
And does anybody tell me a date, when 2.3 is running out of maintenance? I plan to replace the iPad 1 in a couple of months, but until then it need to work with it.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by TinCanTech » Mon Apr 23, 2018 9:44 pm

You will have to setup you 2.4 server again .. but if you do you could try disabling --tls-auth

Post Reply