How do I manage the error "OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol"? [closed]
While trying to connect to a VPN via openvpn
I get the following error from openssl
Tue Oct 30 11:34:16 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
... several more lines
Tue Oct 30 11:34:17 2018 OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Tue Oct 30 11:34:17 2018 TLS_ERROR: BIO read tls_read_plaintext error
Tue Oct 30 11:34:17 2018 TLS Error: TLS object -> incoming plaintext read error
Tue Oct 30 11:34:17 2018 TLS Error: TLS handshake failed
Tue Oct 30 11:34:17 2018 SIGUSR1[soft,tls-error] received, process restarting
Tue Oct 30 11:34:17 2018 Restart pause, 5 second(s)
This error does not arise when using OpenSSL 1.1.0h.
- Why does this error arise after upgrading the
openssl
libraries? - How do I manage around this recurring problem?
- Is there a way to make this work by giving some flags to
openvpn
CLI instead of downgradingopenssl
?
OS: Debian Sid
You don't have to downgrade OpenSSL.
With the introduction of openssl version 1.1.1 in Debian the defaults are set to more secure values by default. This is done in the /etc/ssl/openssl.cnf config file. At the end of the file there is:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
Debian now require as minimum the TLS 1.2 version instead TLS 1.0. If the other side does not support TLS 1.2 or higher you will get some connection errors.
I recommend upgrade openvpn on server to newer version which support TLS 1.2..
Second options (not much secure) is modify MinProcotol to TLSv1 or TLSv1.1.
You don't have to downgrade OpenSSL or change the system default.
Instead of modifying /etc/ssl/openssl.cnf you can just configure the openvpn
client to configure libssl with a different minimum protocol version. The option
is --tls-version-min
or tls-version-min
in a config file.
It's still preferable to upgrade the server but this is a better way to deal with a temporary version skew.
You can even directly override the system default e.g. by using:
tls-cipher "DEFAULT:@SECLEVEL=1"
to have a basic configuration that matches normal OpenSSL defaults. Note that OpenVPN normally sets a more restricted cipher list (see man page).