difference in 32 bit and 64 bit clients and TLS/SSLv3

[dhellmann]

I have an ipad 2 and an iphone 5s, both with OpenVPN Connect 1.0.5 build 177 installed. The ipad 2 is 32 bit, the iphone 5s is 64 bit. They are configured using the exact same client configuration, certs, etc. to talk to an OpenVPN server running on an Ubuntu server. The iphone can connect, the ipad cannot. My Mac and other Linux systems can also connect. The thing that stands out as different to me in the setup is the bitness of the client running on the 2 ios devices. Is it possible that the 32 bit client has a different SSL library, or different settings for the library? Thanks.

The server logs when the ipad connects:

Code: Select all

Mar 28 23:43:44 vpn ovpn-example[2205]: y.y.y.y:45172 TLS: Initial packet from [AF_INET]y.y.y.y:45172, sid=d1ad5246 07453ebd
Mar 28 23:43:45 vpn ovpn-example[2205]: y.y.y.y:45172 VERIFY OK: depth=1, C=US, ST=GA, L=Athens, O=example.net, OU=example, CN=example.net, name=Doug Hellmann, emailAddress=doug@example.net
Mar 28 23:43:45 vpn ovpn-example[2205]: y.y.y.y:45172 VERIFY OK: depth=0, C=US, ST=GA, L=Athens, O=example.net, CN=hubert, emailAddress=doug@example.net
Mar 28 23:43:45 vpn ovpn-example[2205]: y.y.y.y:45172 TLS_ERROR: BIO read tls_read_plaintext error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed: error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Mar 28 23:43:45 vpn ovpn-example[2205]: y.y.y.y:45172 TLS Error: TLS object -> incoming plaintext read error
Mar 28 23:43:45 vpn ovpn-example[2205]: y.y.y.y:45172 TLS Error: TLS handshake failed
Mar 28 23:43:45 vpn ovpn-example[2205]: y.y.y.y:45172 SIGUSR1[soft,tls-error] received, client-instance restarting

The server logs when the iphone connects:

Code: Select all

Mar 28 23:44:25 vpn ovpn-example[2205]: y.y.y.y:43574 TLS: Initial packet from [AF_INET]y.y.y.y:43574, sid=560fdd3d 3a109e3d
Mar 28 23:44:26 vpn ovpn-example[2205]: y.y.y.y:43574 VERIFY OK: depth=1, C=US, ST=GA, L=Athens, O=example.net, OU=example, CN=example.net, name=Doug Hellmann, emailAddress=doug@example.net
Mar 28 23:44:26 vpn ovpn-example[2205]: y.y.y.y:43574 VERIFY OK: depth=0, C=US, ST=GA, L=Athens, O=example.net, CN=dphone, emailAddress=doug@example.net
Mar 28 23:44:26 vpn ovpn-example[2205]: y.y.y.y:43574 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mar 28 23:44:26 vpn ovpn-example[2205]: y.y.y.y:43574 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 28 23:44:26 vpn ovpn-example[2205]: y.y.y.y:43574 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mar 28 23:44:26 vpn ovpn-example[2205]: y.y.y.y:43574 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 28 23:44:26 vpn ovpn-example[2205]: y.y.y.y:43574 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mar 28 23:44:26 vpn ovpn-example[2205]: y.y.y.y:43574 [dphone] Peer Connection Initiated with [AF_INET]y.y.y.y:43574
Mar 28 23:44:26 vpn ovpn-example[2205]: dphone/y.y.y.y:43574 OPTIONS IMPORT: reading client specific options from: ccd/dphone
Mar 28 23:44:26 vpn ovpn-example[2205]: dphone/y.y.y.y:43574 Options error: Unrecognized option or missing parameter(s) in ccd/dphone:1: ifconfig-push (2.3.2)
Mar 28 23:44:26 vpn ovpn-example[2205]: dphone/y.y.y.y:43574 MULTI_sva: pool returned IPv4=10.9.0.14, IPv6=(Not enabled)
Mar 28 23:44:26 vpn ovpn-example[2205]: dphone/y.y.y.y:43574 MULTI: Learn: 10.9.0.14 -> dphone/y.y.y.y:43574
Mar 28 23:44:26 vpn ovpn-example[2205]: dphone/y.y.y.y:43574 MULTI: primary virtual IP for dphone/y.y.y.y:43574: 10.9.0.14
Mar 28 23:44:26 vpn ovpn-example[2205]: dphone/y.y.y.y:43574 PUSH: Received control message: 'PUSH_REQUEST'
Mar 28 23:44:26 vpn ovpn-example[2205]: dphone/y.y.y.y:43574 send_push_reply(): safe_cap=940
Mar 28 23:44:26 vpn ovpn-example[2205]: dphone/y.y.y.y:43574 SENT CONTROL [dphone]: 'PUSH_REPLY,route 10.9.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,ifconfig 10.9.0.14 10.9.0.13' (status=1)

The client configuration file, stripped of comments, contains:

Code: Select all

$ cat example.ovpn  | grep -v '^#' | grep -v '^$' | grep -v '^;'
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca example-ca.crt
cert example-client.crt
key example-client.key
ns-cert-type server
comp-lzo
verb 3

The server config file, stripped, contains:

Code: Select all

$ cat example.conf  | grep -v '^#' | grep -v '^$' | grep -v '^;'
port 1194
proto udp
dev tun
ca ca.crt
cert vpn.example.net.crt
key vpn.example.net.key  # This file should be kept secret
dh dh1024.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

[Traffic]

See your server and client log files for details of OpenVPN and OpenSSL/PolarSSL versions.

[dhellmann]

See your server and client log files for details of OpenVPN and OpenSSL/PolarSSL versions.

Sorry, I'm not sure what that means. Are you saying that you'd like for me to tell you the versions of those things? Or that if I look at the versions on the server that will give me a clue about solving the problem?