OpenVPN Support Forum

Hi Everyone,

I have an OpenVPN server (version 2.3.3 i686-pc-linux-gnu) and connect using various iOS devices (app version 1.0.4 build 140 iOS 32-bit).

I expected version 2.3.3 to allow the use of tls ciphers with ephemeral DH exchange (i.e. TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 or TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA) and "tls-version-min".

However, it appears that the iOS app does not support this because iOS devices cannot connect when the server.conf includes these "tls-cipher" options, and "[tls-cipher] [TLS-ECDHE-...]" shows up under "UNUSED OPTIONS" in the iOS app log.

Are there any tls-cipher options (preferably with ephemeral DH exchange) that can be used with the iOS app? If not, are there any plans to update the iOS app to use of this feature?

Hi Debbie

Thanks for getting back to me so quickly.

I'm a little confused by your response. It sounds like your saying OpenVPN will let you use the tls-cipher as long as the devices being used also support it. Unfortunately, that doesn't seem to be my experience in trying to use it. Maybe you could help me understand?

I created a test pool with just the OpenVPN server (v2.3.3) and an iPhone 5 (iOS 7.1.1 with app v1.0.4). I confirmed that the server's OpenSSL suite supports TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 by checking "openssl ciphers -v". According to Apple's documentation, iOS also supports the exact same cipher (https://developer.apple.com/library/ios ... eConstants).

However, when I add that tls-cipher to the server and client configurations the iPhone will timeout when ever it tries to connect to the VPN. When I remove the tls-cipher the iPhone can successfully connect to the VPN once again.

Thanks for the help!

When using "openvpn --show-tls" there are 32 options shown that use ECDH(E).
Is this a bug or error that needs to be corrected since OpenVPN does not support EC?

Thanks!

After reading the ticket I eliminated the EC, GCM, and SHA2 tls ciphers and was able to successfully connect the iPhone to the server.

I appreciate all your help!