SHA256withECDSA on OpenVPN 2.3.10

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

apache8080
OpenVpn Newbie
Posts: 16
Joined: Fri May 22, 2020 12:51 am

SHA256withECDSA on OpenVPN 2.3.10

Post by apache8080 » Thu Jul 23, 2020 6:54 am

I was wondering if I can use Keys/Certs generated with the SHA256withECDSA using OpenVPN 2.3.10.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by TinCanTech » Thu Jul 23, 2020 10:33 am

Try it and see ..

apache8080
OpenVpn Newbie
Posts: 16
Joined: Fri May 22, 2020 12:51 am

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by apache8080 » Thu Jul 23, 2020 5:24 pm

I tried it and I get a:

Code: Select all

TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher 
I’m not setting a tls-cipher on either the server or the client.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by TinCanTech » Thu Jul 23, 2020 5:27 pm

Well .. "no shared cipher" means exactly what it says ..

apache8080
OpenVpn Newbie
Posts: 16
Joined: Fri May 22, 2020 12:51 am

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by apache8080 » Thu Jul 23, 2020 5:41 pm

What doesn’t make sense is the two clients are both 2.3.x? The client is 2.3.17 and the server is 2.3.10. Would this cause the no shared cipher issue or is using keys/certs with the SHA256withECDSA algorithm causing the no shared cipher error?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by TinCanTech » Thu Jul 23, 2020 5:54 pm

Your server and client have no ciphers which they can both use. eg. "shared" cipher.

Considering the lack of detail you have provided, it is difficult to expand on that.

apache8080
OpenVpn Newbie
Posts: 16
Joined: Fri May 22, 2020 12:51 am

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by apache8080 » Thu Jul 23, 2020 6:27 pm

Here is the server config:
Server config

port 1194
proto udp
dh dh2048.pem
server 10.8.0.0 255.255.252.0
ifconfig-pool-persist ipp.txt
keepalive 10, 120
ca ca.crt
cert server.crt
key server.key
crl-verify crl.pem
dev tun
tun-mtu 1500
tls-auth ta.key 0
route 10.11.0.0 255.255.0.0
push route 10.11.0.0 255.255.0.0
client-config-dir ccd
cipher AES-128-CBC
auth SHA256
comp-lzo
verb 3


I'm not sure what additional information I can give you. The client config is on a router that I set using a graphical user interface.
Last edited by Pippin on Thu Jul 23, 2020 6:35 pm, edited 1 time in total.
Reason: Formatting

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by TinCanTech » Thu Jul 23, 2020 6:32 pm

Thistle get you started:
viewtopic.php?f=30&t=22603#p68963

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by Pippin » Thu Jul 23, 2020 6:36 pm

Code: Select all

keepalive 10, 120
Comma doesn't belong there.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

apache8080
OpenVpn Newbie
Posts: 16
Joined: Fri May 22, 2020 12:51 am

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by apache8080 » Thu Jul 23, 2020 6:39 pm

This is the full error from the server log:

Code: Select all

2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS: Initial packet from [AF_INET]70.168.153.252:49046, sid=ebcceffc ecf400f9
2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS Error: TLS object -> incoming plaintext read error

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by TinCanTech » Thu Jul 23, 2020 6:50 pm

Pippin wrote:
Thu Jul 23, 2020 6:36 pm

Code: Select all

keepalive 10, 120
Comma doesn't belong there.
Looks like somebody should report a bug.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by TinCanTech » Thu Jul 23, 2020 6:52 pm

apache8080 wrote:
Thu Jul 23, 2020 6:39 pm
This is the full error from the server log:

Code: Select all

2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS: Initial packet from [AF_INET]70.168.153.252:49046, sid=ebcceffc ecf400f9
2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS Error: TLS object -> incoming plaintext read error
We know .. so it looks like:
apache8080 wrote:
Thu Jul 23, 2020 6:54 am
I was wondering if I can use Keys/Certs generated with the SHA256withECDSA using OpenVPN 2.3.10.
I guess not ..

apache8080
OpenVpn Newbie
Posts: 16
Joined: Fri May 22, 2020 12:51 am

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by apache8080 » Thu Jul 23, 2020 6:59 pm

Unless I missed it, I don't get why there is any documentation as to what OpenVPN client versions are specific OpenVPN server versions compatible with.

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by Pippin » Thu Jul 23, 2020 7:04 pm

If I remember correctly, EC is for version 2.4 and higher.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by Pippin » Thu Jul 23, 2020 7:08 pm

Check both sides with

Code: Select all

openvpn --show-tls
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

apache8080
OpenVpn Newbie
Posts: 16
Joined: Fri May 22, 2020 12:51 am

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by apache8080 » Thu Jul 23, 2020 7:16 pm

I ran openvpn --show-tls on both a 2.3.17 client and a 2.3.10 server and there are matching tls-ciphers like:

Code: Select all

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by TinCanTech » Thu Jul 23, 2020 7:27 pm

apache8080 wrote:
Thu Jul 23, 2020 5:24 pm
ssl3_get_client_hello:no shared cipher
Is that TLS cipher ?

apache8080
OpenVpn Newbie
Posts: 16
Joined: Fri May 22, 2020 12:51 am

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by apache8080 » Thu Jul 23, 2020 7:34 pm

Looking at the OpenSSL code and other people who have ran into the issue it seems related to TLS ciphers.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by TinCanTech » Thu Jul 23, 2020 7:50 pm

I am bored of this nonsense..

~Please ..... fill in the blanks:
viewtopic.php?f=30&t=22603

apache8080
OpenVpn Newbie
Posts: 16
Joined: Fri May 22, 2020 12:51 am

Re: SHA256withECDSA on OpenVPN 2.3.10

Post by apache8080 » Thu Jul 23, 2020 7:56 pm

I can’t post the client config since as I said earlier it gets set using a graphical user interface. I have no way of knowing the exact client config running on the router. I am reaching out to that vendor. But at the same time this is a fairly general question about wether or not the code supports this. If this forum doesn’t support questions like this then just saying we don’t know would be more helpful than what you are currently doing.

Post Reply