OpenVPN Support Forum

I was wondering if I can use Keys/Certs generated with the SHA256withECDSA using OpenVPN 2.3.10.

Try it and see ..

I tried it and I get a: I’m not setting a tls-cipher on either the server or the client.

Well .. "no shared cipher" means exactly what it says ..

What doesn’t make sense is the two clients are both 2.3.x? The client is 2.3.17 and the server is 2.3.10. Would this cause the no shared cipher issue or is using keys/certs with the SHA256withECDSA algorithm causing the no shared cipher error?

Your server and client have no ciphers which they can both use. eg. "shared" cipher.

Considering the lack of detail you have provided, it is difficult to expand on that.

Here is the server config:


I'm not sure what additional information I can give you. The client config is on a router that I set using a graphical user interface.

Thistle get you started:
viewtopic.php?f=30&t=22603#p68963

Comma doesn't belong there.

This is the full error from the server log:

Pippin wrote: ↑

Thu Jul 23, 2020 6:36 pm

Code: Select all

keepalive 10, 120

Comma doesn't belong there.

Looks like somebody should report a bug.

apache8080 wrote: ↑

Thu Jul 23, 2020 6:39 pm

This is the full error from the server log:

Code: Select all

2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS: Initial packet from [AF_INET]70.168.153.252:49046, sid=ebcceffc ecf400f9
2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
2020/07/23 05:29:13 DEBUG [openvpn-proc] Stdout: Thu Jul 23 05:29:13 2020 70.168.153.252:49046 TLS Error: TLS object -> incoming plaintext read error

We know .. so it looks like:

apache8080 wrote: ↑

Thu Jul 23, 2020 6:54 am

I was wondering if I can use Keys/Certs generated with the SHA256withECDSA using OpenVPN 2.3.10.

I guess not ..

Unless I missed it, I don't get why there is any documentation as to what OpenVPN client versions are specific OpenVPN server versions compatible with.

If I remember correctly, EC is for version 2.4 and higher.

Check both sides with

I ran openvpn --show-tls on both a 2.3.17 client and a 2.3.10 server and there are matching tls-ciphers like:

apache8080 wrote: ↑

Thu Jul 23, 2020 5:24 pm

ssl3_get_client_hello:no shared cipher

Is that TLS cipher ?

Looking at the OpenSSL code and other people who have ran into the issue it seems related to TLS ciphers.

I am bored of this nonsense..

~Please ..... fill in the blanks:
viewtopic.php?f=30&t=22603

I can’t post the client config since as I said earlier it gets set using a graphical user interface. I have no way of knowing the exact client config running on the router. I am reaching out to that vendor. But at the same time this is a fairly general question about wether or not the code supports this. If this forum doesn’t support questions like this then just saying we don’t know would be more helpful than what you are currently doing.