SHA256withECDSA on OpenVPN 2.3.10
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri May 22, 2020 12:51 am
SHA256withECDSA on OpenVPN 2.3.10
I was wondering if I can use Keys/Certs generated with the SHA256withECDSA using OpenVPN 2.3.10.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: SHA256withECDSA on OpenVPN 2.3.10
Try it and see ..
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri May 22, 2020 12:51 am
Re: SHA256withECDSA on OpenVPN 2.3.10
I tried it and I get a:
I’m not setting a tls-cipher on either the server or the client.
Code: Select all
TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: SHA256withECDSA on OpenVPN 2.3.10
Well .. "no shared cipher" means exactly what it says ..
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri May 22, 2020 12:51 am
Re: SHA256withECDSA on OpenVPN 2.3.10
What doesn’t make sense is the two clients are both 2.3.x? The client is 2.3.17 and the server is 2.3.10. Would this cause the no shared cipher issue or is using keys/certs with the SHA256withECDSA algorithm causing the no shared cipher error?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: SHA256withECDSA on OpenVPN 2.3.10
Your server and client have no ciphers which they can both use. eg. "shared" cipher.
Considering the lack of detail you have provided, it is difficult to expand on that.
Considering the lack of detail you have provided, it is difficult to expand on that.
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri May 22, 2020 12:51 am
Re: SHA256withECDSA on OpenVPN 2.3.10
Here is the server config:
port 1194
proto udp
dh dh2048.pem
server 10.8.0.0 255.255.252.0
ifconfig-pool-persist ipp.txt
keepalive 10, 120
ca ca.crt
cert server.crt
key server.key
crl-verify crl.pem
dev tun
tun-mtu 1500
tls-auth ta.key 0
route 10.11.0.0 255.255.0.0
push route 10.11.0.0 255.255.0.0
client-config-dir ccd
cipher AES-128-CBC
auth SHA256
comp-lzo
verb 3
I'm not sure what additional information I can give you. The client config is on a router that I set using a graphical user interface.
Server config
port 1194
proto udp
dh dh2048.pem
server 10.8.0.0 255.255.252.0
ifconfig-pool-persist ipp.txt
keepalive 10, 120
ca ca.crt
cert server.crt
key server.key
crl-verify crl.pem
dev tun
tun-mtu 1500
tls-auth ta.key 0
route 10.11.0.0 255.255.0.0
push route 10.11.0.0 255.255.0.0
client-config-dir ccd
cipher AES-128-CBC
auth SHA256
comp-lzo
verb 3
I'm not sure what additional information I can give you. The client config is on a router that I set using a graphical user interface.
Last edited by Pippin on Thu Jul 23, 2020 6:35 pm, edited 1 time in total.
Reason: Formatting
Reason: Formatting
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: SHA256withECDSA on OpenVPN 2.3.10
Thistle get you started:
viewtopic.php?f=30&t=22603#p68963
viewtopic.php?f=30&t=22603#p68963
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: SHA256withECDSA on OpenVPN 2.3.10
Code: Select all
keepalive 10, 120
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri May 22, 2020 12:51 am
Re: SHA256withECDSA on OpenVPN 2.3.10
This is the full error from the server log:
Code: Select all
2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS: Initial packet from [AF_INET]70.168.153.252:49046, sid=ebcceffc ecf400f9
2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS Error: TLS object -> incoming plaintext read error
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: SHA256withECDSA on OpenVPN 2.3.10
Looks like somebody should report a bug.Pippin wrote: ↑Thu Jul 23, 2020 6:36 pmComma doesn't belong there.Code: Select all
keepalive 10, 120
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: SHA256withECDSA on OpenVPN 2.3.10
We know .. so it looks like:apache8080 wrote: ↑Thu Jul 23, 2020 6:39 pmThis is the full error from the server log:Code: Select all
2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS: Initial packet from [AF_INET]70.168.153.252:49046, sid=ebcceffc ecf400f9 2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher 2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS Error: TLS object -> incoming plaintext read error
I guess not ..apache8080 wrote: ↑Thu Jul 23, 2020 6:54 amI was wondering if I can use Keys/Certs generated with the SHA256withECDSA using OpenVPN 2.3.10.
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri May 22, 2020 12:51 am
Re: SHA256withECDSA on OpenVPN 2.3.10
Unless I missed it, I don't get why there is any documentation as to what OpenVPN client versions are specific OpenVPN server versions compatible with.
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: SHA256withECDSA on OpenVPN 2.3.10
If I remember correctly, EC is for version 2.4 and higher.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: SHA256withECDSA on OpenVPN 2.3.10
Check both sides with
Code: Select all
openvpn --show-tls
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri May 22, 2020 12:51 am
Re: SHA256withECDSA on OpenVPN 2.3.10
I ran openvpn --show-tls on both a 2.3.17 client and a 2.3.10 server and there are matching tls-ciphers like:
Code: Select all
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: SHA256withECDSA on OpenVPN 2.3.10
Is that TLS cipher ?
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri May 22, 2020 12:51 am
Re: SHA256withECDSA on OpenVPN 2.3.10
Looking at the OpenSSL code and other people who have ran into the issue it seems related to TLS ciphers.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 16
- Joined: Fri May 22, 2020 12:51 am
Re: SHA256withECDSA on OpenVPN 2.3.10
I can’t post the client config since as I said earlier it gets set using a graphical user interface. I have no way of knowing the exact client config running on the router. I am reaching out to that vendor. But at the same time this is a fairly general question about wether or not the code supports this. If this forum doesn’t support questions like this then just saying we don’t know would be more helpful than what you are currently doing.