TLS_ERROR: BIO read tls_read_plaintext error

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
amresh
OpenVpn Newbie
Posts: 10
Joined: Sun Sep 25, 2022 4:04 pm

TLS_ERROR: BIO read tls_read_plaintext error

Post by amresh » Sun Sep 25, 2022 4:35 pm

Hi,

I am new to openvpn and VPN in general. But trying to set up a VPN server for my home network for remote access. My ASUS router is running openvpn v 2.3.2:

Code: Select all

admin@RT-AC56U:/tmp/home/root# openvpn --version
OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Nov  4 2019
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=no enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
admin@RT-AC56U:/tmp/home/root# 
I can connect fine from Ubuntu 20.04 clients:

Code: Select all

Sun Sep 25 09:17:40 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Sun Sep 25 09:17:40 2022 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Sun Sep 25 09:17:46 2022 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Sun Sep 25 09:17:46 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]98.42.229.135:1194
Sun Sep 25 09:17:46 2022 UDP link local: (not bound)
Sun Sep 25 09:17:46 2022 UDP link remote: [AF_INET]98.42.229.135:1194
Sun Sep 25 09:17:46 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Sep 25 09:17:47 2022 [server] Peer Connection Initiated with [AF_INET]98.42.229.135:1194
Sun Sep 25 09:17:48 2022 TUN/TAP device tun0 opened
Sun Sep 25 09:17:48 2022 /sbin/ip link set dev tun0 up mtu 1500
Sun Sep 25 09:17:48 2022 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Sun Sep 25 09:17:48 2022 Initialization Sequence Completed
^CSun Sep 25 09:17:57 2022 event_wait : Interrupted system call (code=4)
Sun Sep 25 09:17:57 2022 /sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
Sun Sep 25 09:17:57 2022 SIGINT[hard,] received, process exiting
But from Ubuntu 22.04 clients I get this error and restart/reconnect loop:

Code: Select all

2022-09-25 09:18:48 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-09-25 09:18:48 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-09-25 09:18:48 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-09-25 09:18:48 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10            
2022-09-25 09:18:54 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2022-09-25 09:18:54 TCP/UDP: Preserving recently used remote address: [AF_INET]98.42.229.135:1194
2022-09-25 09:18:54 UDP link local: (not bound)
2022-09-25 09:18:54 UDP link remote: [AF_INET]98.42.229.135:1194
2022-09-25 09:18:54 OpenSSL: error:0A0C0103:SSL routines::internal error
2022-09-25 09:18:54 TLS_ERROR: BIO read tls_read_plaintext error
2022-09-25 09:18:54 TLS Error: TLS object -> incoming plaintext read error
2022-09-25 09:18:54 TLS Error: TLS handshake failed
2022-09-25 09:18:54 SIGUSR1[soft,tls-error] received, process restarting
2022-09-25 09:18:59 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2022-09-25 09:18:59 TCP/UDP: Preserving recently used remote address: [AF_INET]98.42.229.135:1194
2022-09-25 09:18:59 UDP link local: (not bound)
2022-09-25 09:18:59 UDP link remote: [AF_INET]98.42.229.135:1194
^C2022-09-25 09:19:00 event_wait : Interrupted system call (code=4)
2022-09-25 09:19:00 SIGINT[hard,] received, process exiting
The difference in the clients is that Ubuntu 20.04 uses:

Code: Select all

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
while Ubuntu 22.04 uses:

Code: Select all

OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
The server config looks like (this is on the ASUS router and is generated from the fields in the admin UI):

Code: Select all

# Automatically generated configuration

# Tunnel options
proto udp
multihome
port 1194
dev tun21
sndbuf 0
rcvbuf 0
keepalive 15 60
daemon vpnserver1
verb 3
status-version 2
status status 10
comp-lzo adaptive
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn

# Server Mode
server 10.8.0.0 255.255.255.0
duplicate-cn
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"
client-cert-not-required
username-as-common-name

# Data Channel Encryption Options
auth SHA256
cipher AES-256-CBC

# TLS Mode Options
ca ca.crt
dh dh.pem
cert server.crt
key server.key
reneg-sec 18000

# Custom Configuration
and the client ovpn file looks like (it was generated by the ASUS router, with placeholders for the client cert and key that I populated):

Code: Select all

remote 98.42.229.135 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 15 60
comp-lzo adaptive
auth-user-pass
client
auth SHA256
cipher AES-256-CBC
reneg-sec 18000
ns-cert-type server
<ca>
...... Inline CA cert here.......
</ca>

<cert>
...... Inline client cert here.......
</cert>

<key>
...... Inline client key here.......
</key>
There are no firmware updates for the ASUS router by which I could get a more recent openvpn server that may work with both Ubuntu 20.04 (openvpn 2.4.7) and Ubuntu 22.04 (openvpn 2.5.5) clients. So I am stuck with it.

Would appreciate any help I can get on this. I am stuck.

amresh
OpenVpn Newbie
Posts: 10
Joined: Sun Sep 25, 2022 4:04 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by amresh » Sun Sep 25, 2022 4:51 pm

Forgot to mention that the Ubuntu openvpn clients are the stock versions that come with the distro.

Also, this issue seems (at least superficially) to be similar to the one discussed here:
viewtopic.php?t=30880

But in that one the suggested fix was to use openvpn 2.5-beta3 (not sure whether for client or server). I can't change the server version (ASUS router), and the failing client is the openvpn 2.5.5 one, so that should supposedly have the fix.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by TinCanTech » Sun Sep 25, 2022 5:31 pm

Set --verb 4 in your server config and then read your server log.

amresh
OpenVpn Newbie
Posts: 10
Joined: Sun Sep 25, 2022 4:04 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by amresh » Sun Sep 25, 2022 6:11 pm

I'll have to figure out how to do that as the ASUS router controls the running process. I see 2 openvpn processes on the router:

Code: Select all

admin@RT-AC56U:/tmp/home/root# ps | grep vpn
13472 admin     3764 S    /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
13475 admin     4644 S    /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
14152 admin     1532 D    grep vpn
admin@RT-AC56U:/tmp/home/root# 
Don't know if I kill them, how to restart them correctly.

In the meantime, here are the logs with verb level 3:

Code: Select all

Sep 25 09:17:48 vpnserver1[13475]: amresh/192.168.1.109:51593 SENT CONTROL [amresh]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,dhcp-option DNS 192.168.1.1,route 10.8.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Sep 25 09:18:54 vpnserver1[13475]: 192.168.1.154:42115 TLS: Initial packet from [AF_INET]192.168.1.154:42115 (via [AF_INET]98.42.229.135%br0), sid=cdd4388c b641b28e
Sep 25 09:18:59 vpnserver1[13475]: 192.168.1.154:44457 TLS: Initial packet from [AF_INET]192.168.1.154:44457 (via [AF_INET]98.42.229.135%br0), sid=2019ae5c baa7ada6
Sep 25 09:19:54 vpnserver1[13475]: 192.168.1.154:42115 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 25 09:19:54 vpnserver1[13475]: 192.168.1.154:42115 TLS Error: TLS handshake failed
Sep 25 09:19:54 vpnserver1[13475]: 192.168.1.154:42115 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 25 09:19:59 vpnserver1[13475]: 192.168.1.154:44457 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 25 09:19:59 vpnserver1[13475]: 192.168.1.154:44457 TLS Error: TLS handshake failed

amresh
OpenVpn Newbie
Posts: 10
Joined: Sun Sep 25, 2022 4:04 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by amresh » Sun Sep 25, 2022 6:16 pm

The logs for the client at 192.168.1.154 are the relevant ones.

amresh
OpenVpn Newbie
Posts: 10
Joined: Sun Sep 25, 2022 4:04 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by amresh » Sun Sep 25, 2022 6:28 pm

client output with 'verb4':

Code: Select all

2022-09-25 11:20:02 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-09-25 11:20:02 us=780299 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-09-25 11:20:02 us=780715 Current Parameter Settings:
2022-09-25 11:20:02 us=780788   config = 'client3.ovpn'
2022-09-25 11:20:02 us=780870   mode = 0
2022-09-25 11:20:02 us=780908   persist_config = DISABLED
2022-09-25 11:20:02 us=780927   persist_mode = 1
2022-09-25 11:20:02 us=781010   show_ciphers = DISABLED
2022-09-25 11:20:02 us=781084   show_digests = DISABLED
2022-09-25 11:20:02 us=781156   show_engines = DISABLED
2022-09-25 11:20:02 us=781176   genkey = DISABLED
2022-09-25 11:20:02 us=781215   genkey_filename = '[UNDEF]'
2022-09-25 11:20:02 us=781249   key_pass_file = '[UNDEF]'
2022-09-25 11:20:02 us=781283   show_tls_ciphers = DISABLED
2022-09-25 11:20:02 us=781316   connect_retry_max = 0
2022-09-25 11:20:02 us=781373 Connection profiles [0]:
2022-09-25 11:20:02 us=781448   proto = udp
2022-09-25 11:20:02 us=781478   local = '[UNDEF]'
2022-09-25 11:20:02 us=781521   local_port = '[UNDEF]'
2022-09-25 11:20:02 us=781553   remote = '98.42.229.135'
2022-09-25 11:20:02 us=781630   remote_port = '1194'
2022-09-25 11:20:02 us=781725   remote_float = ENABLED
2022-09-25 11:20:02 us=781779   bind_defined = DISABLED
2022-09-25 11:20:02 us=781837   bind_local = DISABLED
2022-09-25 11:20:02 us=781874   bind_ipv6_only = DISABLED
2022-09-25 11:20:02 us=781947   connect_retry_seconds = 5
2022-09-25 11:20:02 us=782014   connect_timeout = 120
2022-09-25 11:20:02 us=782035   socks_proxy_server = '[UNDEF]'
2022-09-25 11:20:02 us=782053   socks_proxy_port = '[UNDEF]'
2022-09-25 11:20:02 us=782109   tun_mtu = 1500
2022-09-25 11:20:02 us=782171   tun_mtu_defined = ENABLED
2022-09-25 11:20:02 us=782239   link_mtu = 1500
2022-09-25 11:20:02 us=782323   link_mtu_defined = DISABLED
2022-09-25 11:20:02 us=782392   tun_mtu_extra = 0
2022-09-25 11:20:02 us=782464   tun_mtu_extra_defined = DISABLED
2022-09-25 11:20:02 us=782528   mtu_discover_type = -1
2022-09-25 11:20:02 us=782596   fragment = 0
2022-09-25 11:20:02 us=782669   mssfix = 1450
2022-09-25 11:20:02 us=782689   explicit_exit_notification = 0
2022-09-25 11:20:02 us=782734   tls_auth_file = '[UNDEF]'
2022-09-25 11:20:02 us=782803   key_direction = not set
2022-09-25 11:20:02 us=782870   tls_crypt_file = '[UNDEF]'
2022-09-25 11:20:02 us=782890   tls_crypt_v2_file = '[UNDEF]'
2022-09-25 11:20:02 us=782944 Connection profiles END
2022-09-25 11:20:02 us=783002   remote_random = DISABLED
2022-09-25 11:20:02 us=783074   ipchange = '[UNDEF]'
2022-09-25 11:20:02 us=783141   dev = 'tun'
2022-09-25 11:20:02 us=783224   dev_type = '[UNDEF]'
2022-09-25 11:20:02 us=783293   dev_node = '[UNDEF]'
2022-09-25 11:20:02 us=783371   lladdr = '[UNDEF]'
2022-09-25 11:20:02 us=783401   topology = 1
2022-09-25 11:20:02 us=783462   ifconfig_local = '[UNDEF]'
2022-09-25 11:20:02 us=783533   ifconfig_remote_netmask = '[UNDEF]'
2022-09-25 11:20:02 us=783586   ifconfig_noexec = DISABLED
2022-09-25 11:20:02 us=783606   ifconfig_nowarn = DISABLED
2022-09-25 11:20:02 us=783639   ifconfig_ipv6_local = '[UNDEF]'
2022-09-25 11:20:02 us=783714   ifconfig_ipv6_netbits = 0
2022-09-25 11:20:02 us=783748   ifconfig_ipv6_remote = '[UNDEF]'
2022-09-25 11:20:02 us=783829   shaper = 0
2022-09-25 11:20:02 us=783866   mtu_test = 0
2022-09-25 11:20:02 us=783930   mlock = DISABLED
2022-09-25 11:20:02 us=783965   keepalive_ping = 15
2022-09-25 11:20:02 us=784023   keepalive_timeout = 60
2022-09-25 11:20:02 us=784129   inactivity_timeout = 0
2022-09-25 11:20:02 us=784180   ping_send_timeout = 15
2022-09-25 11:20:02 us=784246   ping_rec_timeout = 60
2022-09-25 11:20:02 us=784311   ping_rec_timeout_action = 2
2022-09-25 11:20:02 us=784338   ping_timer_remote = DISABLED
2022-09-25 11:20:02 us=784364   remap_sigusr1 = 0
2022-09-25 11:20:02 us=784410   persist_tun = DISABLED
2022-09-25 11:20:02 us=784475   persist_local_ip = DISABLED
2022-09-25 11:20:02 us=784496   persist_remote_ip = DISABLED
2022-09-25 11:20:02 us=784556   persist_key = DISABLED
2022-09-25 11:20:02 us=784629   passtos = DISABLED
2022-09-25 11:20:02 us=784700   resolve_retry_seconds = 1000000000
2022-09-25 11:20:02 us=784778   resolve_in_advance = DISABLED
2022-09-25 11:20:02 us=784812   username = '[UNDEF]'
2022-09-25 11:20:02 us=784874   groupname = '[UNDEF]'
2022-09-25 11:20:02 us=784950   chroot_dir = '[UNDEF]'
2022-09-25 11:20:02 us=784982   cd_dir = '[UNDEF]'
2022-09-25 11:20:02 us=785055   writepid = '[UNDEF]'
2022-09-25 11:20:02 us=785116   up_script = '[UNDEF]'
2022-09-25 11:20:02 us=785188   down_script = '[UNDEF]'
2022-09-25 11:20:02 us=785263   down_pre = DISABLED
2022-09-25 11:20:02 us=785295   up_restart = DISABLED
2022-09-25 11:20:02 us=785347   up_delay = DISABLED
2022-09-25 11:20:02 us=785407   daemon = DISABLED
2022-09-25 11:20:02 us=785468   inetd = 0
2022-09-25 11:20:02 us=785539   log = DISABLED
2022-09-25 11:20:02 us=785613   suppress_timestamps = DISABLED
2022-09-25 11:20:02 us=785647   machine_readable_output = DISABLED
2022-09-25 11:20:02 us=785735   nice = 0
2022-09-25 11:20:02 us=785806   verbosity = 4
2022-09-25 11:20:02 us=785867   mute = 0
2022-09-25 11:20:02 us=785899   gremlin = 0
2022-09-25 11:20:02 us=785929   status_file = '[UNDEF]'
2022-09-25 11:20:02 us=785971   status_file_version = 1
2022-09-25 11:20:02 us=786022   status_file_update_freq = 60
2022-09-25 11:20:02 us=786096   occ = ENABLED
2022-09-25 11:20:02 us=786168   rcvbuf = 0
2022-09-25 11:20:02 us=786244   sndbuf = 0
2022-09-25 11:20:02 us=786275   mark = 0
2022-09-25 11:20:02 us=786333   sockflags = 0
2022-09-25 11:20:02 us=786407   fast_io = DISABLED
2022-09-25 11:20:02 us=786472   comp.alg = 2
2022-09-25 11:20:02 us=786534   comp.flags = 1
2022-09-25 11:20:02 us=786602   route_script = '[UNDEF]'
2022-09-25 11:20:02 us=786669   route_default_gateway = '[UNDEF]'
2022-09-25 11:20:02 us=786690   route_default_metric = 0
2022-09-25 11:20:02 us=786781   route_noexec = DISABLED
2022-09-25 11:20:02 us=786850   route_delay = 0
2022-09-25 11:20:02 us=786927   route_delay_window = 30
2022-09-25 11:20:02 us=786980   route_delay_defined = DISABLED
2022-09-25 11:20:02 us=787000   route_nopull = DISABLED
2022-09-25 11:20:02 us=787061   route_gateway_via_dhcp = DISABLED
2022-09-25 11:20:02 us=787139   allow_pull_fqdn = DISABLED
2022-09-25 11:20:02 us=787212   management_addr = '[UNDEF]'
2022-09-25 11:20:02 us=787288   management_port = '[UNDEF]'
2022-09-25 11:20:02 us=787320   management_user_pass = '[UNDEF]'
2022-09-25 11:20:02 us=787395   management_log_history_cache = 250
2022-09-25 11:20:02 us=787456   management_echo_buffer_size = 100
2022-09-25 11:20:02 us=787522   management_write_peer_info_file = '[UNDEF]'
2022-09-25 11:20:02 us=787607   management_client_user = '[UNDEF]'
2022-09-25 11:20:02 us=787675   management_client_group = '[UNDEF]'
2022-09-25 11:20:02 us=787760   management_flags = 0
2022-09-25 11:20:02 us=787829   shared_secret_file = '[UNDEF]'
2022-09-25 11:20:02 us=787912   key_direction = not set
2022-09-25 11:20:02 us=787980   ciphername = 'AES-256-CBC'
2022-09-25 11:20:02 us=788057   ncp_enabled = ENABLED
2022-09-25 11:20:02 us=788129   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
2022-09-25 11:20:02 us=788206   authname = 'SHA256'
2022-09-25 11:20:02 us=788238   prng_hash = 'SHA1'
2022-09-25 11:20:02 us=788291   prng_nonce_secret_len = 16
2022-09-25 11:20:02 us=788352   keysize = 0
2022-09-25 11:20:02 us=788415   engine = DISABLED
2022-09-25 11:20:02 us=788450   replay = ENABLED
2022-09-25 11:20:02 us=788511   mute_replay_warnings = DISABLED
2022-09-25 11:20:02 us=788575   replay_window = 64
2022-09-25 11:20:02 us=788609   replay_time = 15
2022-09-25 11:20:02 us=788643   packet_id_file = '[UNDEF]'
2022-09-25 11:20:02 us=788678   test_crypto = DISABLED
2022-09-25 11:20:02 us=788741   tls_server = DISABLED
2022-09-25 11:20:02 us=788775   tls_client = ENABLED
2022-09-25 11:20:02 us=788825   ca_file = '[INLINE]'
2022-09-25 11:20:02 us=788876   ca_path = '[UNDEF]'
2022-09-25 11:20:02 us=788955   dh_file = '[UNDEF]'
2022-09-25 11:20:02 us=789040   cert_file = '[INLINE]'
2022-09-25 11:20:02 us=789107   extra_certs_file = '[UNDEF]'
2022-09-25 11:20:02 us=789179   priv_key_file = '[INLINE]'
2022-09-25 11:20:02 us=789257   pkcs12_file = '[UNDEF]'
2022-09-25 11:20:02 us=789326   cipher_list = '[UNDEF]'
2022-09-25 11:20:02 us=789400   cipher_list_tls13 = '[UNDEF]'
2022-09-25 11:20:02 us=789424   tls_cert_profile = '[UNDEF]'
2022-09-25 11:20:02 us=789476   tls_verify = '[UNDEF]'
2022-09-25 11:20:02 us=789542   tls_export_cert = '[UNDEF]'
2022-09-25 11:20:02 us=789614   verify_x509_type = 0
2022-09-25 11:20:02 us=789713   verify_x509_name = '[UNDEF]'
2022-09-25 11:20:02 us=789794   crl_file = '[UNDEF]'
2022-09-25 11:20:02 us=789849   ns_cert_type = 1
2022-09-25 11:20:02 us=789869   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=789938   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=789967   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790027   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790104   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790135   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790182   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790218   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790279   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790315   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790353   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790435   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790507   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790584   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790615   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790668   remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790719   remote_cert_eku = '[UNDEF]'
2022-09-25 11:20:02 us=790754   ssl_flags = 0
2022-09-25 11:20:02 us=790815   tls_timeout = 2
2022-09-25 11:20:02 us=790874   renegotiate_bytes = -1
2022-09-25 11:20:02 us=790899   renegotiate_packets = 0
2022-09-25 11:20:02 us=790932   renegotiate_seconds = 18000
2022-09-25 11:20:02 us=790967   handshake_window = 60
2022-09-25 11:20:02 us=791050   transition_window = 3600
2022-09-25 11:20:02 us=791119   single_session = DISABLED
2022-09-25 11:20:02 us=791185   push_peer_info = DISABLED
2022-09-25 11:20:02 us=791205   tls_exit = DISABLED
2022-09-25 11:20:02 us=791257   tls_crypt_v2_metadata = '[UNDEF]'
2022-09-25 11:20:02 us=791319   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791403   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791471   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791544   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791612   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791647   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791731   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791807   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791887   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791955   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792027   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792100   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792184   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792256   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792332   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792365   pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792456   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792523   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792556   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792606   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792671   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792693   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792725   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792804   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792840   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792924   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792992   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793063   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793135   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793196   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793263   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793334   pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793417   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793490   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793565   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793597   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793658   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793744   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793772   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793788   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793880   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793900   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793973   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793998   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=794055   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=794127   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=794192   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=794253   pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=794321   pkcs11_pin_cache_period = -1
2022-09-25 11:20:02 us=794392   pkcs11_id = '[UNDEF]'
2022-09-25 11:20:02 us=794464   pkcs11_id_management = DISABLED
2022-09-25 11:20:02 us=794563   server_network = 0.0.0.0
2022-09-25 11:20:02 us=794643   server_netmask = 0.0.0.0
2022-09-25 11:20:02 us=794730   server_network_ipv6 = ::
2022-09-25 11:20:02 us=794804   server_netbits_ipv6 = 0
2022-09-25 11:20:02 us=794859   server_bridge_ip = 0.0.0.0
2022-09-25 11:20:02 us=794879   server_bridge_netmask = 0.0.0.0
2022-09-25 11:20:02 us=794942   server_bridge_pool_start = 0.0.0.0
2022-09-25 11:20:02 us=795001   server_bridge_pool_end = 0.0.0.0
2022-09-25 11:20:02 us=795036   ifconfig_pool_defined = DISABLED
2022-09-25 11:20:02 us=795075   ifconfig_pool_start = 0.0.0.0
2022-09-25 11:20:02 us=795140   ifconfig_pool_end = 0.0.0.0
2022-09-25 11:20:02 us=795178   ifconfig_pool_netmask = 0.0.0.0
2022-09-25 11:20:02 us=795211   ifconfig_pool_persist_filename = '[UNDEF]'
2022-09-25 11:20:02 us=795241   ifconfig_pool_persist_refresh_freq = 600
2022-09-25 11:20:02 us=795267   ifconfig_ipv6_pool_defined = DISABLED
2022-09-25 11:20:02 us=795305   ifconfig_ipv6_pool_base = ::
2022-09-25 11:20:02 us=795371   ifconfig_ipv6_pool_netbits = 0
2022-09-25 11:20:02 us=795445   n_bcast_buf = 256
2022-09-25 11:20:02 us=795512   tcp_queue_limit = 64
2022-09-25 11:20:02 us=795537   real_hash_size = 256
2022-09-25 11:20:02 us=795586   virtual_hash_size = 256
2022-09-25 11:20:02 us=795622   client_connect_script = '[UNDEF]'
2022-09-25 11:20:02 us=795699   learn_address_script = '[UNDEF]'
2022-09-25 11:20:02 us=795733   client_disconnect_script = '[UNDEF]'
2022-09-25 11:20:02 us=795835   client_config_dir = '[UNDEF]'
2022-09-25 11:20:02 us=795898   ccd_exclusive = DISABLED
2022-09-25 11:20:02 us=795982   tmp_dir = '/tmp'
2022-09-25 11:20:02 us=796056   push_ifconfig_defined = DISABLED
2022-09-25 11:20:02 us=796110   push_ifconfig_local = 0.0.0.0
2022-09-25 11:20:02 us=796180   push_ifconfig_remote_netmask = 0.0.0.0
2022-09-25 11:20:02 us=796261   push_ifconfig_ipv6_defined = DISABLED
2022-09-25 11:20:02 us=796336   push_ifconfig_ipv6_local = ::/0
2022-09-25 11:20:02 us=796413   push_ifconfig_ipv6_remote = ::
2022-09-25 11:20:02 us=796488   enable_c2c = DISABLED
2022-09-25 11:20:02 us=796560   duplicate_cn = DISABLED
2022-09-25 11:20:02 us=796611   cf_max = 0
2022-09-25 11:20:02 us=796684   cf_per = 0
2022-09-25 11:20:02 us=796757   max_clients = 1024
2022-09-25 11:20:02 us=796783   max_routes_per_client = 256
2022-09-25 11:20:02 us=796846   auth_user_pass_verify_script = '[UNDEF]'
2022-09-25 11:20:02 us=796924   auth_user_pass_verify_script_via_file = DISABLED
2022-09-25 11:20:02 us=797000   auth_token_generate = DISABLED
2022-09-25 11:20:02 us=797041   auth_token_lifetime = 0
2022-09-25 11:20:02 us=797123   auth_token_secret_file = '[UNDEF]'
2022-09-25 11:20:02 us=797190   port_share_host = '[UNDEF]'
2022-09-25 11:20:02 us=797252   port_share_port = '[UNDEF]'
2022-09-25 11:20:02 us=797287   vlan_tagging = DISABLED
2022-09-25 11:20:02 us=797349   vlan_accept = all
2022-09-25 11:20:02 us=797419   vlan_pvid = 1
2022-09-25 11:20:02 us=797455   client = ENABLED
2022-09-25 11:20:02 us=797525   pull = ENABLED
2022-09-25 11:20:02 us=797615   auth_user_pass_file = 'stdin'
2022-09-25 11:20:02 us=797709 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-09-25 11:20:02 us=797802 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Enter Auth Username: foo
🔐 Enter Auth Password: *********               
2022-09-25 11:20:13 us=590590 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2022-09-25 11:20:13 us=602794 LZO compression initializing
2022-09-25 11:20:13 us=603159 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2022-09-25 11:20:13 us=603311 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2022-09-25 11:20:13 us=603446 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
2022-09-25 11:20:13 us=603505 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
2022-09-25 11:20:13 us=603580 TCP/UDP: Preserving recently used remote address: [AF_INET]98.42.229.135:1194
2022-09-25 11:20:13 us=603704 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-09-25 11:20:13 us=603760 UDP link local: (not bound)
2022-09-25 11:20:13 us=603805 UDP link remote: [AF_INET]98.42.229.135:1194
2022-09-25 11:20:13 us=608228 TLS: Initial packet from [AF_INET]98.42.229.135:1194, sid=7bf36b98 47414891
2022-09-25 11:20:16 us=75050 VERIFY OK: depth=1, CN=Easy-RSA CA
2022-09-25 11:20:16 us=75559 VERIFY OK: nsCertType=SERVER
2022-09-25 11:20:16 us=75615 VERIFY OK: depth=0, CN=server
2022-09-25 11:20:18 us=314364 OpenSSL: error:0A0C0103:SSL routines::internal error
2022-09-25 11:20:18 us=314450 TLS_ERROR: BIO read tls_read_plaintext error
2022-09-25 11:20:18 us=314472 TLS Error: TLS object -> incoming plaintext read error
2022-09-25 11:20:18 us=314488 TLS Error: TLS handshake failed
2022-09-25 11:20:18 us=314791 TCP/UDP: Closing socket
2022-09-25 11:20:18 us=314881 SIGUSR1[soft,tls-error] received, process restarting
2022-09-25 11:20:18 us=314939 Restart pause, 5 second(s)
^C2022-09-25 11:20:20 us=359320 SIGINT[hard,init_instance] received, process exiting

amresh
OpenVpn Newbie
Posts: 10
Joined: Sun Sep 25, 2022 4:04 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by amresh » Sun Sep 25, 2022 6:34 pm

Restarted the service on the ASUS router, but it regenerated the config file with the 'verb 3' option and overwrote the 'verb 4' line that I had put in

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by TinCanTech » Sun Sep 25, 2022 7:12 pm

This appears to be the problem:
amresh wrote:
Sun Sep 25, 2022 4:35 pm
admin@RT-AC56U:/tmp/home/root# openvpn --version
OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Nov 4 2019
OpenVPN 2.3.2 is no longer supported: https://community.openvpn.net/openvpn/w ... edVersions

Then:
amresh wrote:
Sun Sep 25, 2022 4:35 pm
2022-09-25 09:18:48 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-09-25 09:18:48 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-09-25 09:18:54 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2022-09-25 09:18:54 TCP/UDP: Preserving recently used remote address: [AF_INET]98.42.229.135:1194
2022-09-25 09:18:54 UDP link local: (not bound)
2022-09-25 09:18:54 UDP link remote: [AF_INET]98.42.229.135:1194
2022-09-25 09:18:54 OpenSSL: error:0A0C0103:SSL routines::internal error
It is an unusual error. Somebody else may be able to help.

amresh
OpenVpn Newbie
Posts: 10
Joined: Sun Sep 25, 2022 4:04 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by amresh » Sun Sep 25, 2022 8:12 pm

Yes, unfortunately I can't do anything about the Openvpn server version. That's part of the router firmware.

amresh
OpenVpn Newbie
Posts: 10
Joined: Sun Sep 25, 2022 4:04 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by amresh » Sun Sep 25, 2022 8:21 pm

Finally able to get it to run with verb 4 value (don't see anything unusual):

Code: Select all

Sep 25 13:16:39 vpnserver1[15775]: MULTI: multi_create_instance called
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Re-using SSL/TLS context
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 LZO compression initialized
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Control Channel MTU parms [ L:1570 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Local Options hash (VER=V4): '79a26cd9'
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Expected Remote Options hash (VER=V4): 'fc8ba345'
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 TLS: Initial packet from [AF_INET]192.168.1.154:48144 (via [AF_INET]98.42.229.135%br0), sid=ee7c5f4f d4e6c98e
Sep 25 13:16:45 vpnserver1[15775]: MULTI: multi_create_instance called
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Re-using SSL/TLS context
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 LZO compression initialized
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Control Channel MTU parms [ L:1570 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Local Options hash (VER=V4): '79a26cd9'
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Expected Remote Options hash (VER=V4): 'fc8ba345'
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 TLS: Initial packet from [AF_INET]192.168.1.154:33171 (via [AF_INET]98.42.229.135%br0), sid=107aa226 be09fff8
[b]Sep 25 13:17:39 vpnserver1[15775]: 192.168.1.154:48144 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 25 13:17:39 vpnserver1[15775]: 192.168.1.154:48144 TLS Error: TLS handshake failed[/b]
Sep 25 13:17:39 vpnserver1[15775]: 192.168.1.154:48144 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 25 13:17:45 vpnserver1[15775]: 192.168.1.154:33171 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 25 13:17:45 vpnserver1[15775]: 192.168.1.154:33171 TLS Error: TLS handshake failed
Sep 25 13:17:45 vpnserver1[15775]: 192.168.1.154:33171 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 25 13:17:54 vpnserver1[15775]: MULTI: multi_create_instance called
I think the handshake is being rejected by the newer client, not the server.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by TinCanTech » Sun Sep 25, 2022 8:32 pm

amresh wrote:
Sun Sep 25, 2022 8:12 pm
unfortunately I can't do anything about the Openvpn server version
Then throw it away.
amresh wrote:
Sun Sep 25, 2022 8:21 pm
I think the handshake is being rejected by the newer client, not the server.
The client is very upset obout something, I cannot say if that is something from the server or not.

You could upgrade the client. v2.5.7 is latest, stable.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by openvpn_inc » Mon Sep 26, 2022 7:10 am

Hello amresh,

Version 2.3.2 dates back to 2015. That's 7 years old. You might understand then that over time things have changed a little and that you really should have a more up-to-date software. I know you say that you can't fix it. But you should try to contact the router manufacturer and request a newer firmware that includes an updated OpenVPN version. If that is not available, for example because the router is no longer under support and doesn't receive firmware updates anymore, I would recommend looking into an alternative firmware for this router with a more up-to-date OpenVPN version.

However I know 2.5 should still be able to connect to 2.3 server just fine. But there's just something being done that is not acceptable to the OpenSSL library.

The main difference between Ubuntu 20.04 LTS and Ubuntu 22.04 LTS is the OpenSSL version. In Ubuntu 20.04 LTS it is still OpenSSL 1.1.1 and in Ubuntu 22.04 LTS it is OpenSSL 3.0.2. In OpenSSL3 some changes have been made in regards to deprecating certain older methods of encryption by default. While I am not 100% certain, my guess would be that the server wants the client to do something that is now considered deprecated and insecure, and the OpenSSL3 library doesn't want to do this anymore. What that is exactly however I can't tell from this information.

Can you check what bit size your CA, server, and client certificates are? Are they 1024 bits by any chance? If so that might be the issue and you should replace them with RSA 2048. I would like to recommend secp384r1 instead but not sure that would work with that old of an OpenVPN version.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by ordex » Mon Sep 26, 2022 12:43 pm

Please also note that OpenVPN 2.5.5 is not expected to work well with OpenSSL3, since code to support the latter was introduced after OpenVPN 2.5.5.
You may want to upgrade to OpenVPN 2.5.7.

amresh
OpenVpn Newbie
Posts: 10
Joined: Sun Sep 25, 2022 4:04 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by amresh » Mon Sep 26, 2022 3:21 pm

Johan,

Thanks for the detailed post. I figured the same, but was hoping that I could make it work through configuration changes and using 'backwards-compatibility' of Openvpn 2.5.5/openssl3 towards the older release. But likely not. Regarding your question, yes, I am using 2048 bits.

Ordex,

Are you saying that the stock Ubuntu 22.04 openvpn (2.5.5.) may have problems, since it is tied to OpenSSL3? ok, I will try doing upgrading to 2.5.7, if only as an academic exercise as I ordered a new ASUS router that hopefully has a newer version of openvpn that works right off the bat.

amresh
OpenVpn Newbie
Posts: 10
Joined: Sun Sep 25, 2022 4:04 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by amresh » Mon Sep 26, 2022 4:39 pm

Tested with openvpn 2.5.7/openssl 3.0.2. Get the same result, no connection, restart loop with the same error:

2022-09-26 08:48:44 us=126102 VERIFY OK: depth=0, CN=server
2022-09-26 08:48:44 us=130726 OpenSSL: error:0A0C0103:SSL routines::internal error
2022-09-26 08:48:44 us=130808 TLS_ERROR: BIO read tls_read_plaintext error
2022-09-26 08:48:44 us=130878 TLS Error: TLS object -> incoming plaintext read error
2022-09-26 08:48:44 us=130969 TLS Error: TLS handshake failed
2022-09-26 08:48:44 us=131404 TCP/UDP: Closing socket
2022-09-26 08:48:44 us=131516 SIGUSR1[soft,tls-error] received, process restarting
2022-09-26 08:48:44 us=131610 Restart pause, 5 second(s)

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by ordex » Mon Sep 26, 2022 10:36 pm

@amresh then I'd say Johan is pointing you in the right direction.
Can you try passing this option

Code: Select all

--providers legacy default
to the client? (can go in the config without the leading --)

rantanplan
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 20, 2022 4:00 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by rantanplan » Tue Dec 20, 2022 4:03 pm

ordex wrote:
Mon Sep 26, 2022 10:36 pm
@amresh then I'd say Johan is pointing you in the right direction.
Can you try passing this option

Code: Select all

--providers legacy default
to the client? (can go in the config without the leading --)
I have the same issue on Pop!_OS 22.04 LTS (Ubuntu 22.04 LTS).

Adding these option didn't change the behavior...

Best regards

rantanplan
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 20, 2022 4:00 pm

Re: TLS_ERROR: BIO read tls_read_plaintext error

Post by rantanplan » Thu Dec 22, 2022 11:39 pm

Problem "solved" by allowing weak algorithm:

openvpn --tls-cipher "DEFAULT:@SECLEVEL=0" --data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC

Post Reply