How do I manage the error "OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol"? [closed]

openssl openvpn

While trying to connect to a VPN via openvpn I get the following error from openssl

Tue Oct 30 11:34:16 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
... several more lines
Tue Oct 30 11:34:17 2018 OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Tue Oct 30 11:34:17 2018 TLS_ERROR: BIO read tls_read_plaintext error
Tue Oct 30 11:34:17 2018 TLS Error: TLS object -> incoming plaintext read error
Tue Oct 30 11:34:17 2018 TLS Error: TLS handshake failed
Tue Oct 30 11:34:17 2018 SIGUSR1[soft,tls-error] received, process restarting
Tue Oct 30 11:34:17 2018 Restart pause, 5 second(s)

This error does not arise when using OpenSSL 1.1.0h.

  • Why does this error arise after upgrading the openssl libraries?
  • How do I manage around this recurring problem?
  • Is there a way to make this work by giving some flags to openvpn CLI instead of downgrading openssl?

OS: Debian Sid


You don't have to downgrade OpenSSL.

With the introduction of openssl version 1.1.1 in Debian the defaults are set to more secure values by default. This is done in the /etc/ssl/openssl.cnf config file. At the end of the file there is:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

Debian now require as minimum the TLS 1.2 version instead TLS 1.0. If the other side does not support TLS 1.2 or higher you will get some connection errors.

I recommend upgrade openvpn on server to newer version which support TLS 1.2..

Second options (not much secure) is modify MinProcotol to TLSv1 or TLSv1.1.


You don't have to downgrade OpenSSL or change the system default.

Instead of modifying /etc/ssl/openssl.cnf you can just configure the openvpn client to configure libssl with a different minimum protocol version. The option is --tls-version-min or tls-version-min in a config file.

It's still preferable to upgrade the server but this is a better way to deal with a temporary version skew.


You can even directly override the system default e.g. by using:

tls-cipher "DEFAULT:@SECLEVEL=1"

to have a basic configuration that matches normal OpenSSL defaults. Note that OpenVPN normally sets a more restricted cipher list (see man page).

Related

Advanced XAML Animation effects. Pulse, Marching ants, Rotations. Alerts
How to handle OutOfMemoryError in Java? [duplicate]
Apache Mod Rewrite For Laravel
Java how to call method by reflection with primitive types as arguments
How can I merge a branch into master but continue working on the branch?
Laravel Rule Validation for Numbers
What does [&] mean before function? [duplicate]
How to convert XML to JSON in Python? [duplicate]
Byte[] to ASCII
Cygwin error: "-bash: fork: retry: Resource temporarily unavailable"
MySQL Change a column ENUM value
In C, sizeof operator returns 8 bytes when passing 2.5m but 4 bytes when passing 1.25m * 2