iOS v3 App TLS Errors on New Installs Only

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
User avatar
ciacco22
OpenVpn Newbie
Posts: 3
Joined: Wed Sep 12, 2018 4:54 pm

iOS v3 App TLS Errors on New Installs Only

Post by ciacco22 » Wed Sep 12, 2018 6:39 pm

With the upgrade of OpenVPN Connect to v3.0.1.(770), I've found that I can only connect on iPhones that upgraded the app (after reinstalling the config). Installing the app on an iPhone that did not have it previously installed, the app fails with the following TLS Error.

Server Log:

Code: Select all

ovpn-server[9110]: X.X.X.X:42529 TLS: Initial packet from [AF_INET]X.X.X.X:42529, sid=c93dd086 c1f6f25f
ovpn-server[9110]: X.X.X.X:42529 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
ovpn-server[9110]: X.X.X.X:42529 OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
ovpn-server[9110]: X.X.X.X:42529 TLS_ERROR: BIO read tls_read_plaintext error
ovpn-server[9110]: X.X.X.X:42529 TLS Error: TLS object -> incoming plaintext read error
ovpn-server[9110]: X.X.X.X:42529 TLS Error: TLS handshake failed
Client Log:

Code: Select all

----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Sep  4 2018 09:41:09

Frame=512/2048/512 mssfix-ctrl=1250

UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [user] [nobody]
7 [group] [nogroup]
8 [persist-key]
9 [persist-tun]
11 [tls-cipher] [TLS-DHE-RSA-WITH-AES-256-CBC-SHA]
15 [verb] [3]
18 [auth-nocache]

EVENT: RESOLVE
Contacting [X.X.X.X]:PORT/UDP via UDP
EVENT: WAIT
Connecting to [domain]:PORT (X.X.X.X) via UDPv4
EVENT: CONNECTING
Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
Creds: StaticChallenge

Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.1-770
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_LZO_SWAP=1
IV_LZ4=1
IV_LZ4v2=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1

EVENT: DISCONNECTED

Raw stats on disconnect:
  BYTES_IN : 98
  BYTES_OUT : 6260
  PACKETS_IN : 1
  PACKETS_OUT : 22

Performance stats on disconnect:
  CPU usage (microseconds): 76332
  Network bytes per CPU second: 83294
  Tunnel bytes per CPU second: 0
When I received this error on the old iOS app, I successfully fixed it by checking the AES-CBC cipher algorithm setting.

I've verified that the settings match between the freshly installed iOS app and the upgraded iOS app.

Server Config TLS Settings:
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
cipher AES-256-CBC

Client Config TLS Settings:
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
cipher AES-256-CBC

User avatar
ciacco22
OpenVpn Newbie
Posts: 3
Joined: Wed Sep 12, 2018 4:54 pm

Re: iOS v3 App TLS Errors on New Installs Only

Post by ciacco22 » Wed Sep 12, 2018 7:02 pm

Additionally, here are the logs for the upgraded iOS app and successful connection

Client Log:

Code: Select all

----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Sep  4 2018 09:41:09

Frame=512/2048/512 mssfix-ctrl=1250

UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [user] [nobody]
7 [group] [nogroup]
8 [persist-key]
9 [persist-tun]
11 [tls-cipher] [TLS-DHE-RSA-WITH-AES-256-CBC-SHA]
15 [verb] [3]
18 [auth-nocache]

EVENT: RESOLVE
Contacting [X.X.X.X]:PORT/UDP via UDP
EVENT: WAIT
Connecting to [domain]:PORT (X.X.X.X) via UDPv4
EVENT: CONNECTING
Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
Creds: StaticChallenge
Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.1-770
IV_VER=3.2
IV_PLAT=ios
IV_LZO=1
IV_LZO_SWAP=1
IV_LZ4=1
IV_COMP_STUB=1

VERIFY OK : depth=1
cert. version    : X
serial number    : XX:XX:XX:XX:XX:XX:XX:XX
issuer name      : C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, ??=Certificate Authority, emailAddress=email
subject name      : C=US, ST=Illinois, L=Chicago, O=Comany, OU=DOMAIN, CN=domain.com, ??=Certificate Authority, emailAddress=email
issued  on        : 2018-06-27 16:51:02
expires on        : 2028-06-24 16:51:02
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true


VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, ??=DOMAIN Certificate Authority, emailAddress=email
subject name      : C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, ??=DOMAIN Server Cert, emailAddress=email
issued  on        : 2018-06-27 16:51:03
expires on        : 2028-06-24 16:51:03
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : domain.com
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
Session is ACTIVE
EVENT: GET_CONFIG
Sending PUSH_REQUEST to server...

OPTIONS:
0 [route] [X.X.X.X] [X.X.X.X]
1 [route] [X.X.X.X] [X.X.X.X]
2 [dhcp-option] [DNS] [X.X.X.X]
3 [dhcp-option] [DNS] [X.X.X.X]
4 [dhcp-option] [DNS] [X.X.X.X]
5 [compress] [lz4-v2]
6 [route] [X.X.X.X]
7 [topology] [net30]
8 [ping] [10]
9 [ping-restart] [120]
10 [ifconfig] [X.X.X.X] [X.X.X.X]


PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA512
  compress: LZ4v2
  peer ID: -1

EVENT: ASSIGN_IP
NIP: preparing TUN network settings
NIP: init TUN network settings with endpoint: X.X.X.X
NIP: adding IPv4 address to network settings X.X.X.X/255.255.255.252
NIP: adding (included) IPv4 route X.X.X.X/30
NIP: adding (included) IPv4 route X.X.X.X/16
NIP: adding (included) IPv4 route X.X.X.X/16
NIP: adding (included) IPv4 route X.X.X.X/32
NIP: adding DNS X.X.X.X
NIP: adding DNS X.X.X.X
NIP: adding DNS X.X.X.X
NIP: adding match domain ALL
NIP: adding DNS specific routes:
NIP: adding (included) IPv4 route X.X.X.X/32
NIP: adding (included) IPv4 route X.X.X.X/32
NIP: adding (included) IPv4 route X.X.X.X/32
Connected via NetworkExtensionTUN
LZ4v2 init asym=0
EVENT: CONNECTED username@domain:PORT (X.X.X.X) via /UDPv4 on NetworkExtensionTUN/X.X.X.X/ gw=[/]
Server Log:

Code: Select all

X.X.X.X:46391 TLS: Initial packet from [AF_INET]X.X.X.X:46391, sid=dafac842 38ac4828
X.X.X.X:46391 VERIFY OK: depth=1, C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain.com, name=Certificate Authority, emailAddress=email
X.X.X.X:46391 VERIFY OK: depth=0, C=US, ST=Illinois, L=Chicago, O=Company, OU=DOMAIN, CN=domain, name=DOMAIN Client Cert, emailAddress=email
X.X.X.X:46391 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.1-770
X.X.X.X:46391 peer info: IV_VER=3.2
X.X.X.X:46391 peer info: IV_PLAT=ios
X.X.X.X:46391 peer info: IV_LZO=1
X.X.X.X:46391 peer info: IV_LZO_SWAP=1
X.X.X.X:46391 peer info: IV_LZ4=1
X.X.X.X:46391 peer info: IV_COMP_STUB=1
X.X.X.X:46391 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
X.X.X.X:46391 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
X.X.X.X:46391 TLS: Username/Password authentication succeeded for username 'username'
X.X.X.X:46391 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
X.X.X.X:46391 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
X.X.X.X:46391 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
X.X.X.X:46391 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
X.X.X.X:46391 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
X.X.X.X:46391 [domain] Peer Connection Initiated with [AF_INET]X.X.X.X:46391
domain/X.X.X.X:46391 MULTI_sva: pool returned IPv4=X.X.X.X, IPv6=(Not enabled)
domain/X.X.X.X:46391 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
domain/X.X.X.X:46391 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_7d8594863b0dec8f3ffcd46312862a90.tmp
domain/X.X.X.X:46391 MULTI: Learn: X.X.X.X -> domain/X.X.X.X:46391
domain/X.X.X.X:46391 MULTI: primary virtual IP for domain/X.X.X.X:46391: X.X.X.X
domain/X.X.X.X:46391 PUSH: Received control message: 'PUSH_REQUEST'
domain/X.X.X.X:46391 SENT CONTROL [domain]: 'PUSH_REPLY,route X.X.X.X 255.255.0.0,route X.X.X.X 255.255.0.0,dhcp-option DNS X.X.X.X,dhcp-option DNS X.X.X.X,dhcp-option DNS X.X.X.X,compress lz4-v2,route X.X.X.X,topology net30,ping 10,ping-restart 120,ifconfig X.X.X.X X.X.X.X' (status=1)
domain/X.X.X.X:46391 SIGTERM[soft,remote-exit] received, client-instance exiting
PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_DISCONNECT status=0
MANAGEMENT: Client connected from [AF_INET]X.X.X.X:PORT
EDITED FOR FORMATTING

User avatar
ciacco22
OpenVpn Newbie
Posts: 3
Joined: Wed Sep 12, 2018 4:54 pm

Re: iOS v3 App TLS Errors on New Installs Only

Post by ciacco22 » Mon Sep 24, 2018 12:08 am

Looking at this some more, I updated my TLS cipher according to https://community.openvpn.net/openvpn/wiki/Hardening and am now able to connect.

Code: Select all

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Post Reply