OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

https://forums.openvpn.net/viewtopic.php?t=13505

Page 1 of 1

SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Posted: Tue Aug 06, 2013 8:22 am
by dukeluke
hey,
i am trying to establish a connection between an iphone or ipad (tried both, none worked) with ios 6.1.3
when i use the same config on an android phone it works flawlessly.
here's the log i get on the server:

Code: Select all

Aug  6 09:40:31 unknown daemon.notice openvpn[4845]: MULTI: multi_create_instance called
Aug  6 09:40:31 unknown daemon.notice openvpn[4845]: 89.144.206.3:52866 Re-using SSL/TLS context
Aug  6 09:40:31 unknown daemon.notice openvpn[4845]: 89.144.206.3:52866 LZO compression initialized
Aug  6 09:40:31 unknown daemon.notice openvpn[4845]: 89.144.206.3:52866 Control Channel MTU parms [ L:1547 D:138 EF:38 EB:0 ET:0 EL:0 ]
Aug  6 09:40:31 unknown daemon.notice openvpn[4845]: 89.144.206.3:52866 Data Channel MTU parms [ L:1547 D:1450 EF:47 EB:135 ET:0 EL:0 AF:3/1 ]
Aug  6 09:40:31 unknown daemon.notice openvpn[4845]: 89.144.206.3:52866 TLS: Initial packet from 89.144.206.3:52866, sid=bf5e61c6 cf3a86d2
Aug  6 09:40:32 unknown daemon.err openvpn[4845]: 89.144.206.3:52866 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Aug  6 09:40:32 unknown daemon.err openvpn[4845]: 89.144.206.3:52866 TLS Error: TLS object -> incoming plaintext read error
Aug  6 09:40:32 unknown daemon.err openvpn[4845]: 89.144.206.3:52866 TLS Error: TLS handshake failed
Aug  6 09:40:32 unknown daemon.notice openvpn[4845]: 89.144.206.3:52866 SIGUSR1[soft,tls-error] received, client-instance restarting
i hope anyone can help me.

kr, luki

Re: SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Posted: Wed Aug 28, 2013 11:01 am
by soulianis
I had a similar problem. It appears that not all TLS ciphers are supported with OpenVPN Connect on iOS.

The OpenVPN Connect client log should show which TLS cipher it wants, for example "DHE-RSA-AES256-SHA". Now, on the server side, use "openvpn --show-tls" to show a list of supported TLS ciphers and check whether or not the wanted cipher is listed.

In my case, on the server side I had to install a new OpenSSL library and then reconfigure/recompile OpenVPN.

Hope this helps.

Re: SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Posted: Wed Aug 28, 2013 11:38 am
by dukeluke
hey,
thank you for the reply!
it's a bit difficult to install a new openssl library on the server side, because it's an embedded linux on a linksys router.

but thanks for the answer, i'll just go with android then :)

kr, luki

Re: SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Posted: Sun Aug 21, 2016 12:44 pm
by kolberda
This is usually remedied by going to the OpenVPN section of the iOS Settings app and selecting "Force AES-CBC ciphersuites". (Under iPhone Settings, not OpenVPN app settings)
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/