Using experimental mbedTLS ciphersuites with OpenVPN

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
djones
OpenVpn Newbie
Posts: 5
Joined: Fri Aug 25, 2017 11:06 am

Using experimental mbedTLS ciphersuites with OpenVPN

Post by djones » Fri Aug 25, 2017 11:38 am

Hi,

I'm using a forked version of mbedTLS that introduces experimental new ciphersuites for TLS v1.2. I've created a basic client/server OpenVPN setup, roughly following the HOWTO guide, and this connects and works fine. However, my interesting new ciphersuites are ignored and the client and server agree on TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

The preferred ciphersuites (on both client and server) are as follows:

Code: Select all

$ openvpn --show-tls | head
Available TLS Ciphers,
listed in order of preference:

TLS-NEWHOPE_ECDSA-WITH-AES-256-GCM-SHA384    <--- this is the one I'd like to use
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CCM
TLS-DHE-RSA-WITH-AES-256-CCM
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
I've tried to force the selection of this ciphersuite, using tls-cipher in both config files, but that causes a different issue in the server logs:

Code: Select all

TLS_ERROR: read tls_read_plaintext error: SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)
Any suggestions for a way forward? Am I going to have to hack OpenVPN to support novel ciphersuites? The phrase "common ciphersuites" makes me wonder if I need to roll up my sleeves and dive in.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Using experimental mbedTLS ciphersuites with OpenVPN

Post by TinCanTech » Fri Aug 25, 2017 11:57 am

$ openvpn --version

djones
OpenVpn Newbie
Posts: 5
Joined: Fri Aug 25, 2017 11:06 am

Re: Using experimental mbedTLS ciphersuites with OpenVPN

Post by djones » Tue Aug 29, 2017 7:55 am

Code: Select all

OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 24 2017
library versions: mbed TLS 2.5.1, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=mbedtls with_gnu_ld=yes with_mem_check=no with_sysroot=no

User avatar
ecrist
Forum Team
Posts: 237
Joined: Wed Nov 26, 2008 10:33 pm
Location: Northern Minnesota, USA
Contact:

Re: Using experimental mbedTLS ciphersuites with OpenVPN

Post by ecrist » Tue Aug 29, 2017 2:42 pm

Can you post the output of the logs? Please set verbosity to 4 and run a clean client/server startup.
OpenVPN Community Administrator
IRC: #openvpn, #openvpn-devel
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN

djones
OpenVpn Newbie
Posts: 5
Joined: Fri Aug 25, 2017 11:06 am

Re: Using experimental mbedTLS ciphersuites with OpenVPN

Post by djones » Tue Aug 29, 2017 3:25 pm

Sure, here's the server:

Code: Select all

sudo /usr/local/openvpn-pqc/sbin/openvpn --verb 4 --config ~/openvpn-conf/server.conf
Tue Aug 29 15:22:15 2017 WARNING: file '/home/ubuntu/openvpn-keys/server.key' is group or others accessible
Tue Aug 29 15:22:15 2017 OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 24 2017
Tue Aug 29 15:22:15 2017 library versions: mbed TLS 2.5.1, LZO 2.08
Tue Aug 29 15:22:15 2017 Diffie-Hellman initialized with 2048 bit key
Tue Aug 29 15:22:15 2017 ROUTE_GATEWAY 10.0.1.1/255.255.255.0 IFACE=eth0 HWADDR=06:e7:c6:87:10:d7
Tue Aug 29 15:22:15 2017 TUN/TAP device tun0 opened
Tue Aug 29 15:22:15 2017 TUN/TAP TX queue length set to 100
Tue Aug 29 15:22:15 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Aug 29 15:22:15 2017 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Tue Aug 29 15:22:15 2017 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Tue Aug 29 15:22:15 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Aug 29 15:22:15 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Aug 29 15:22:15 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Tue Aug 29 15:22:15 2017 UDPv4 link remote: [AF_UNSPEC]
Tue Aug 29 15:22:15 2017 MULTI: multi_init called, r=256 v=256
Tue Aug 29 15:22:15 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Aug 29 15:22:15 2017 ifconfig_pool_read(), in='OpenVPN Test Client,10.8.0.4', TODO: IPv6
Tue Aug 29 15:22:15 2017 succeeded -> ifconfig_pool_set()
Tue Aug 29 15:22:15 2017 IFCONFIG POOL LIST
Tue Aug 29 15:22:15 2017 OpenVPN Test Client,10.8.0.4
Tue Aug 29 15:22:15 2017 Initialization Sequence Completed
Tue Aug 29 15:22:24 2017 35.176.87.92:57643 TLS: Initial packet from [AF_INET]35.176.87.92:57643, sid=dfd9ee3b cd301726
Tue Aug 29 15:22:24 2017 35.176.87.92:57643 TLS_ERROR: read tls_read_plaintext error: SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)
Tue Aug 29 15:22:24 2017 35.176.87.92:57643 TLS Error: TLS object -> incoming plaintext read error
Tue Aug 29 15:22:24 2017 35.176.87.92:57643 TLS Error: TLS handshake failed
Tue Aug 29 15:22:24 2017 35.176.87.92:57643 SIGUSR1[soft,tls-error] received, client-instance restarting

(at this point, everything paused for a while, so I Ctrl-C exited client then server)

Tue Aug 29 15:22:35 2017 event_wait : Interrupted system call (code=4)
Tue Aug 29 15:22:37 2017 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Tue Aug 29 15:22:37 2017 Closing TUN/TAP interface
Tue Aug 29 15:22:37 2017 /sbin/ifconfig tun0 0.0.0.0
Tue Aug 29 15:22:37 2017 SIGINT[hard,] received, process exiting
And the client:

Code: Select all

sudo /usr/local/openvpn-pqc/sbin/openvpn --verb 4 --config openvpn-conf/client.conf
Tue Aug 29 15:22:24 2017 WARNING: file '/home/ubuntu/openvpn-keys/client.key' is group or others accessible
Tue Aug 29 15:22:24 2017 OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 24 2017
Tue Aug 29 15:22:24 2017 library versions: mbed TLS 2.5.1, LZO 2.08
Tue Aug 29 15:22:24 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Aug 29 15:22:24 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]35.176.137.123:1194
Tue Aug 29 15:22:24 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Aug 29 15:22:24 2017 UDP link local: (not bound)
Tue Aug 29 15:22:24 2017 UDP link remote: [AF_INET]35.176.137.123:1194
Tue Aug 29 15:22:24 2017 TLS: Initial packet from [AF_INET]35.176.137.123:1194, sid=135c4644 534b35ba

(at this point, everything paused for a while, so I Ctrl-C excited client then server)

Tue Aug 29 15:22:33 2017 event_wait : Interrupted system call (code=4)
Tue Aug 29 15:22:33 2017 SIGINT[hard,] received, process exiting

djones
OpenVpn Newbie
Posts: 5
Joined: Fri Aug 25, 2017 11:06 am

Re: Using experimental mbedTLS ciphersuites with OpenVPN

Post by djones » Thu Sep 14, 2017 10:44 am

Sorry, now that my post is approved I can see how awfully formatted that is. Let me try again, here is the server:

sudo /usr/local/openvpn-pqc/sbin/openvpn --verb 4 --config ~/openvpn-conf/server.conf
Tue Aug 29 15:22:15 2017 WARNING: file '/home/ubuntu/openvpn-keys/server.key' is group or others accessible
Tue Aug 29 15:22:15 2017 OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 24 2017
Tue Aug 29 15:22:15 2017 library versions: mbed TLS 2.5.1, LZO 2.08
Tue Aug 29 15:22:15 2017 Diffie-Hellman initialized with 2048 bit key
Tue Aug 29 15:22:15 2017 ROUTE_GATEWAY 10.0.1.1/255.255.255.0 IFACE=eth0 HWADDR=06:e7:c6:87:10:d7
Tue Aug 29 15:22:15 2017 TUN/TAP device tun0 opened
Tue Aug 29 15:22:15 2017 TUN/TAP TX queue length set to 100
Tue Aug 29 15:22:15 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Aug 29 15:22:15 2017 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Tue Aug 29 15:22:15 2017 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Tue Aug 29 15:22:15 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Aug 29 15:22:15 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Aug 29 15:22:15 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Tue Aug 29 15:22:15 2017 UDPv4 link remote: [AF_UNSPEC]
Tue Aug 29 15:22:15 2017 MULTI: multi_init called, r=256 v=256
Tue Aug 29 15:22:15 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Aug 29 15:22:15 2017 ifconfig_pool_read(), in='OpenVPN Test Client,10.8.0.4', TODO: IPv6
Tue Aug 29 15:22:15 2017 succeeded -> ifconfig_pool_set()
Tue Aug 29 15:22:15 2017 IFCONFIG POOL LIST
Tue Aug 29 15:22:15 2017 OpenVPN Test Client,10.8.0.4
Tue Aug 29 15:22:15 2017 Initialization Sequence Completed
Tue Aug 29 15:22:24 2017 35.176.87.92:57643 TLS: Initial packet from [AF_INET]35.176.87.92:57643, sid=dfd9ee3b cd301726
Tue Aug 29 15:22:24 2017 35.176.87.92:57643 TLS_ERROR: read tls_read_plaintext error: SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)
Tue Aug 29 15:22:24 2017 35.176.87.92:57643 TLS Error: TLS object -> incoming plaintext read error
Tue Aug 29 15:22:24 2017 35.176.87.92:57643 TLS Error: TLS handshake failed
Tue Aug 29 15:22:24 2017 35.176.87.92:57643 SIGUSR1[soft,tls-error] received, client-instance restarting
(at this point, everything paused for a while, so I Ctrl-C exited client then server)
Tue Aug 29 15:22:35 2017 event_wait : Interrupted system call (code=4)
Tue Aug 29 15:22:37 2017 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Tue Aug 29 15:22:37 2017 Closing TUN/TAP interface
Tue Aug 29 15:22:37 2017 /sbin/ifconfig tun0 0.0.0.0
Tue Aug 29 15:22:37 2017 SIGINT[hard,] received, process exiting

djones
OpenVpn Newbie
Posts: 5
Joined: Fri Aug 25, 2017 11:06 am

Re: Using experimental mbedTLS ciphersuites with OpenVPN

Post by djones » Thu Sep 14, 2017 10:46 am

And here is the client:

sudo /usr/local/openvpn-pqc/sbin/openvpn --verb 4 --config openvpn-conf/client.conf
Tue Aug 29 15:22:24 2017 WARNING: file '/home/ubuntu/openvpn-keys/client.key' is group or others accessible
Tue Aug 29 15:22:24 2017 OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 24 2017
Tue Aug 29 15:22:24 2017 library versions: mbed TLS 2.5.1, LZO 2.08
Tue Aug 29 15:22:24 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Aug 29 15:22:24 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]35.176.137.123:1194
Tue Aug 29 15:22:24 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Aug 29 15:22:24 2017 UDP link local: (not bound)
Tue Aug 29 15:22:24 2017 UDP link remote: [AF_INET]35.176.137.123:1194
Tue Aug 29 15:22:24 2017 TLS: Initial packet from [AF_INET]35.176.137.123:1194, sid=135c4644 534b35ba
(at this point, everything paused for a while, so I Ctrl-C excited client then server)
Tue Aug 29 15:22:33 2017 event_wait : Interrupted system call (code=4)
Tue Aug 29 15:22:33 2017 SIGINT[hard,] received, process exiting

Post Reply