SSL - Verification of the message MAC failed while connecting iPad 1

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
formusr
OpenVpn Newbie
Posts: 4
Joined: Sat Apr 14, 2018 8:13 pm

SSL - Verification of the message MAC failed while connecting iPad 1

Post by formusr » Sat Apr 14, 2018 9:26 pm

After updateing my VPN server to OpenVPN 2.4.0 (debian stretch) I’ve got the error message “SSL - Verification of the message MAC failed” on my iPad 1 with iOS version 5.1.1. My iOS OpenVPN app has version 1.1.1 build 212.
I didn’t change my configuration files and my iPad Air with iOS version 10.3.3 is still working with the same configuration. Could anybody tell me, if there is a legacy option, to get the same behaviour like in the old OpenVPN 2.3.4 (debian Jessie)? Do you have any other idea to get my iPad 1 connected again?

Thank you and best regards

Here my config files and loggings for this issue.

My Server Config File
1
server 192.168.5.0 255.255.255.128
2
ifconfig-pool-persist ipad/ipp_ipad.txt
3
push "redirect-gateway def1"
4
tls-server
5
dev tun-ipad
6
client-to-client
7
proto tcp-server
8
port XXX
9
ca ipad/ca.crt
10
cert ipad/server.crt
11
key ipad/server.key
12
crl-verify ipad/crl.pem
13
dh ipad/dh2048.pem
14
tls-auth ipad/tls_auth.key
15
keepalive 10 60
16
ping-timer-rem
17
persist-tun
18
persist-key
19
user nobody
20
group nogroup
21
daemon openvpn_ipad
22
verb 3


My iPad Config File
1
client
2
tls-client
3
dev tun
4
remote server_name.de
5
resolv-retry infinite
6
nobind
7
proto tcp-client
8
port XXX
9
persist-tun
10
persist-key
11
user nobody
12
group nogroup
13
<ca>
14
--STRIPPED INLINE CA CERT--
15
</ca>
16
<tls-auth>
17
--STRIPPED INLINE TLS-AUTH KEY--
18
</tls-auth>
19
<cert>
20
--STRIPPED INLINE CERT--
21
</cert>
22
<key>
23
--STRIPPED INLINE KEY--


Here my iPad logging file. You can see the full exception in row 26.
iPad Logging
1
2018-04-14 22:04:48 Connecting to server_name.de:XXX (XXX.XXX.XXX.XXX) via TCPv4
2
2018-04-14 22:04:48 EVENT: CONNECTING
3
2018-04-14 22:04:48 Tunnel Options:V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
4
2018-04-14 22:04:48 Peer Info:
5
IV_VER=1.0
6
IV_PLAT=ios
7
IV_NCP=1
8
2018-04-14 22:04:48 VERIFY OK: depth=0
9
cert. version : 3
10
serial number : 01
11
issuer name : C=DE, ST=SA, L=City, O=Org, OU=extern VPN, CN=client_name CA, 0x29=OpenVPN SSL, emailAddress=client_name@server.homenet
12
subject name : C=DE, ST=SA, L=City, O=Org, OU=extern VPN, CN=server, 0x29=OpenVPN SSL, emailAddress=info@server.homenet
13
issued on : 2013-08-29 15:09:16
14
expires on : 2023-08-27 15:09:16
15
signed using : RSA+SHA256
16
RSA key size : 2048 bits
17
2018-04-14 22:04:48 VERIFY OK: depth=1
18
cert. version : 3
19
serial number : BA:A6:99:89:1D:D6:59:46
20
issuer name : C=DE, ST=SA, L=City, O=Org, OU=extern VPN, CN=client_name CA, 0x29=OpenVPN SSL, emailAddress=client_name@server.homenet
21
subject name : C=DE, ST=SA, L=City, O=Org, OU=extern VPN, CN=server CA, 0x29=OpenVPN SSL, emailAddress=info@server.homenet
22
issued on : 2013-08-29 15:08:48
23
expires on : 2023-08-27 15:08:48
24
signed using : RSA+SHA256
25
RSA key size : 2048 bits
26
2018-04-14 22:04:50 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Verification of the message MAC failed
27
2018-04-14 22:04:50 Client terminated, restarting in 2...
28
2018-04-14 22:04:51 EVENT: DISCONNECTED
29
2018-04-14 22:04:51 Raw stats on disconnect:
30
BYTES_IN : 8254
31
BYTES_OUT : 4814
32
PACKETS_IN : 14
33
PACKETS_OUT : 16
34
TCP_CONNECT_ERROR : 2
35
SSL_ERROR : 2
36
N_RECONNECT : 3
37
2018-04-14 22:04:51 Performance stats on disconnect:
38
CPU usage (microseconds): 2067789
39
Network bytes per CPU second: 6319
40
Tunnel bytes per CPU second: 0

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by TinCanTech » Sun Apr 15, 2018 11:47 am

--tsl-auth requires a direction option.

eg:
  • --tls-auth ta.key 0 or 1 (Usually zero on the server and one on the client)
  • or use --key-direction 0 or 1 (Same as above)
See --tsl-auth & --key-direction in The Manual v24x

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by TinCanTech » Tue Apr 17, 2018 4:29 pm

formusr wrote:
Sat Apr 14, 2018 9:26 pm
my iPad 1 with iOS version 5.1.1. My iOS OpenVPN app has version 1.1.1 build 212.
This is an old version, can you update it or is that not possible ?

formusr
OpenVpn Newbie
Posts: 4
Joined: Sat Apr 14, 2018 8:13 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by formusr » Wed Apr 18, 2018 8:52 pm

Thank you for the reply. First I tried your hint with the key direction, but it didn't helps. Then I removed the tls declarative entirely, but still I've got the error message "Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Verification of the message MAC failed".
By the way, for iPad 1 I cannot install a higher version than 5.1.1. and also for the app I get no offer for a higher version in the app store. Even if I believe that the reason is rather a buggy implemenation in this version, but unfortunately I can only change something on server side. But as I said, with an older version of OpenVPN on server side, it has worked perfectly.
Has maybe somebody any other idea?
Thank you in advance

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by TinCanTech » Wed Apr 18, 2018 9:02 pm

You could downgrade your Openvpn server version:
https://community.openvpn.net/openvpn/w ... twareRepos

You claim it worked before, does work it if you re-install a 2.3 version ?

formusr
OpenVpn Newbie
Posts: 4
Joined: Sat Apr 14, 2018 8:13 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by formusr » Sat Apr 21, 2018 12:04 am

Thanks a lot, now it es working again. I have downgrade to the version in debian jessie.
I'm wondering if I'm now disconnected from the update path of openvpn and openssl. This could lead in serious security trouble. If you got an idea, how I can still get automatic security updates, please let me know.

Because it was not so easy, I documented here in case someone else got the same problem like me.
First create the file /etc/apt/sources.list.d/jessie.list with the following content.
Jessie Config
1
deb http://httpredir.debian.org/debian jessie main contrib non-free
2
deb-src http://httpredir.debian.org/debian jessie main contrib non-free
3
deb http://security.debian.org/ jessie/updates main contrib non-free
4
deb-src http://security.debian.org/ jessie/updates main contrib non-free


Now you need to create the file /etc/apt/sources.list.d/openvpn-aptrepo.list with the following content.
Openvpn Config
1
deb http://build.openvpn.net/debian/openvpn/release/2.3 stretch main


Then you can install the pubkey of the openvpn repository with this command.
Get pubkey
1
wget -O - https://swupdate.openvpn.net/repos/repo ... pg|apt-key add -


Then load the new repositories with apt update.
Then install the old version of openssl with apt install openssl/jessie
Then check all available versions of openvpn with apt-cache policy openvpn
Then install the old version of openvpn with this command apt-get install openvpn=2.3.4-5+deb8u2. The version can differ in your case.
Now restart openvpn. You have successfully downgrade both packages

Then lock this version with the following commands. Otherwise you get back to the newest version of these packages with cron-apt.
Lock Version
1
apt-mark hold openssl
2
apt-mark hold openvpn


You can check the status of this packages with this command.
State Selection
1
dpkg --get-selections | grep 'openvpn\|openssl'


With this commands you can check the verions of these packages.
Show Version
1
openvpn -–version
2
openssl version

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by TinCanTech » Sun Apr 22, 2018 12:01 am

formusr wrote:
Sat Apr 21, 2018 12:04 am
I have downgrade to the version in debian jessie
You have successfully downgraded your security ..

Please .. do not try this at home.

Openvpn will stop supporting version 2.3 very soon, if not already.

formusr
OpenVpn Newbie
Posts: 4
Joined: Sat Apr 14, 2018 8:13 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by formusr » Mon Apr 23, 2018 9:00 pm

Well, I’m absolutely aware, that this is no solution for long time, but could you give me a hint, how I can solve this issue in version 2.4?
And does anybody tell me a date, when 2.3 is running out of maintenance? I plan to replace the iPad 1 in a couple of months, but until then it need to work with it.

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: SSL - Verification of the message MAC failed while connecting iPad 1

Post by TinCanTech » Mon Apr 23, 2018 9:44 pm

You will have to setup you 2.4 server again .. but if you do you could try disabling --tls-auth

Post Reply