Page 1 of 1

[2.3.11 client] routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Posted: Thu Aug 18, 2016 8:15 am
by Deantwo
I have a setup using a MikroTik router as OpenVPN server for Windows clients that has worked for a number of years now.
Everything works fine with OpenVPN Client 2.3.10 or older, but when I attempt to use OpenVPN Client 2.3.11 I am getting a TSL error.

The change log does not mention anything in particularly useful, closest I can find is "Restrict default TLS cipher list" but it isn't very enlightening.

Install packeges:
  • openvpn-install-2.3.10-I601-x86_64.exe
  • openvpn-install-2.3.11-I601-x86_64.exe
Log of the 2.3.11 client:

Code: Select all

* OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
* Windows version 6.2 (Windows 8 or greater) 64bit
* library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09
Enter Management Password:
* MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
* Need hold release from management interface, waiting...
* MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
* MANAGEMENT: CMD 'state on'
* MANAGEMENT: CMD 'log all on'
* MANAGEMENT: CMD 'hold off'
* MANAGEMENT: CMD 'hold release'
* Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
* Socket Buffers: R=[65536->65536] S=[65536->65536]
* MANAGEMENT: >STATE:1471505278,RESOLVE,,,
* Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
* Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
* Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
* Local Options hash (VER=V4): 'db02a8f8'
* Expected Remote Options hash (VER=V4): '7e068940'
* Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
* MANAGEMENT: >STATE:1471505278,TCP_CONNECT,,,
* TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
* TCPv4_CLIENT link local: [undef]
* TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
* MANAGEMENT: >STATE:1471505279,WAIT,,,
* MANAGEMENT: >STATE:1471505279,AUTH,,,
* TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=0661f363 2fc75f21
* WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
* OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* TLS_ERROR: BIO read tls_read_plaintext error
* TLS Error: TLS object -> incoming plaintext read error
* TLS Error: TLS handshake failed
* Fatal TLS error (check_tls_errors_co), restarting
* TCP/UDP: Closing socket
* SIGUSR1[soft,tls-error] received, process restarting
* MANAGEMENT: >STATE:1471505279,RECONNECTING,tls-error,,
* Restart pause, 5 second(s)
* Re-using SSL/TLS context
* Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
* Socket Buffers: R=[65536->65536] S=[65536->65536]
* MANAGEMENT: >STATE:1471505284,RESOLVE,,,
* Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
* Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
* Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
* Local Options hash (VER=V4): 'db02a8f8'
* Expected Remote Options hash (VER=V4): '7e068940'
* Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
* MANAGEMENT: >STATE:1471505284,TCP_CONNECT,,,
* TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
* TCPv4_CLIENT link local: [undef]
* TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
* MANAGEMENT: >STATE:1471505285,WAIT,,,
* MANAGEMENT: >STATE:1471505285,AUTH,,,
* TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=0847f2a5 e2a1d851
* OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* TLS_ERROR: BIO read tls_read_plaintext error
* TLS Error: TLS object -> incoming plaintext read error
* TLS Error: TLS handshake failed
* Fatal TLS error (check_tls_errors_co), restarting
* TCP/UDP: Closing socket
* SIGUSR1[soft,tls-error] received, process restarting
* MANAGEMENT: >STATE:1471505285,RECONNECTING,tls-error,,
* Restart pause, 5 second(s)
* SIGTERM[hard,init_instance] received, process exiting
* MANAGEMENT: >STATE:1471505286,EXITING,init_instance,,
MikroTik log:

Code: Select all

* ovpn,info          TCP connection established from xxx.xxx.xxx.xxx 
* ovpn,debug,error   duplicate packet, dropping 
* ovpn,debug         <xxx.xxx.xxx.xxx>: disconnected <TLS failed> 
* ovpn,info          TCP connection established from xxx.xxx.xxx.xxx 
* ovpn,debug,error   duplicate packet, dropping 
* ovpn,debug         <xxx.xxx.xxx.xxx>: disconnected <TLS failed> 
* ovpn,info          TCP connection established from xxx.xxx.xxx.xxx 
* ovpn,debug,error   duplicate packet, dropping 
* ovpn,debug         <xxx.xxx.xxx.xxx>: disconnected <TLS failed> 
Anyone know what was changed between 2.3.10 and 2.3.11 that could be causing this problem?

Re: [2.3.11 client] routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Posted: Thu Aug 18, 2016 11:02 am
by TinCanTech
Please post your client config file and as much detail as you can about your server config.

Re: [2.3.11 client] routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Posted: Thu Aug 18, 2016 1:39 pm
by Deantwo
TinCanTech wrote:Please post your client config file and as much detail as you can about your server config.
Yeah, sorry, I intended to edit that in, but forgot that there might be moderation of new user's posts.

Here is my config file:

Code: Select all

client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
cryptoapicert "THUMB:00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff 00 11 22 33"
ns-cert-type server
cipher BF-CBC
verb 4
auth-user-pass "Internal Login.conf"
keepalive 5 60
route xxx.xxx.xxx.xxx 255.255.255.0
route xxx.xxx.xxx.xxx 255.255.255.0
route xxx.xxx.xxx.xxx 255.255.255.0
route xxx.xxx.xxx.xxx 255.255.255.0

<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>

Re: [2.3.11 client] routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Posted: Fri Aug 19, 2016 7:07 am
by Deantwo
So, can I make a new post without moderation approval yet?
I trend to edit my post 5-20 times before being done, so moderation is rather annoying. I do however know how needed it is, so thanks for the good work moderators!

I don't know much about how the server configuration works on a MikroTik router. Only know that it worked before updating to the 2.3.11 version of the client.
The MikroTik wiki doesn't have much information about their OpenVPN implementation.
See: http://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

Re: [2.3.11 client] routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Posted: Fri Aug 19, 2016 10:49 am
by TinCanTech
What version of windows are you using ?

Re: [2.3.11 client] routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Posted: Mon Aug 22, 2016 6:14 am
by Deantwo
TinCanTech wrote:What version of windows are you using ?
Windows 10.

Re: [2.3.11 client] routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Posted: Mon Aug 22, 2016 12:49 pm
by TinCanTech
Please see this support ticket:
https://community.openvpn.net/openvpn/ticket/685

Re: [2.3.11 client] routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Posted: Mon Aug 22, 2016 1:41 pm
by Deantwo
TinCanTech wrote:Please see this support ticket:
https://community.openvpn.net/openvpn/ticket/685
Ah! Thanks a lot.

I guess I will need to upgrade my MikroTik router then, RouterOS 6.36 has been released with the fix already.
Link to the MikroTik forum 6.36 release thread for interested people: http://forum.mikrotik.com/viewtopic.php?f=21&t=110419

I guess that means I was correct in thinking that "Restrict default TLS cipher list" was the cause, wish the change log had been a little more detailed about this.