openvpn, option tls-cipher not working, no shared cipher
while experimenting with setting up openvpn, i stumbled upon this tip on a website. it says that you can limit the list of ciphers, to prevent downgrade attacks. i testet it in a lan with 2 computers, both running a kubuntu 14.04 with OpenVPN 2.3.2.
in the server.conf on the openvpn server, i inserted this line
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
by executing openvpn --show-tls
and comparing the output, i made shure that each of the ciphers in line above is known by my version of openvpn(on both server and client).
but when i start the openvpnserver and the client afterwards, the server is giving me following output
Fri Sep 25 12:31:59 2015 "THECLIENTSIP":38749 TLS: Initial packet from [AF_INET]"THECLIENTSIP":38749, sid=d9c33d37 653b2f0e
Fri Sep 25 12:32:00 2015 "THECLIENTSIP":38749 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Fri Sep 25 12:32:00 2015 "THECLIENTSIP":38749 TLS Error: TLS object -> incoming plaintext read error
Fri Sep 25 12:32:00 2015 "THECLIENTSIP":38749 TLS Error: TLS handshake failed
Fri Sep 25 12:32:00 2015 "THECLIENTSIP":38749 SIGUSR1[soft,tls-error] received, client-instance restarting
without that tls-cipher option it works fine.
i dont understand why it says "no shared cipher". is that way wrong to list the ciphers seperated with colons? or what is the problem here?
thank you for reading. i hope anyone can help me.
edit
i replaced the line in the server.conf with
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
to see what happens.
and the output of the openvpn server is the same.
edit 2
i was searching further and found this site https://community.openvpn.net/openvpn/wiki/Hardening
and now understood that OpenVpn 2.3.2 only has support for SSLv3/TLSv1.0 ciphersuites.
but openvpn --show-tls
also shows TLSv1.2 ciphersuites
Limiting to TLSv1.0 DHE + RSA choices yields the following list, suitable for <=2.3.2 peers. DES choices are best avoided, especially single-DES (known very weak.)
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-SEED-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-DHE-RSA-WITH-DES-CBC-SHA
Avoid all DES cipher suites: DES is known to be very weak (3DES-EDE is still fine) Avoid all RC4 ciphersuites: RC4 is known to be weak Avoid all EXPORT cipher suites: EXPORT is specified to be weak many years ago
and it works when i use one of these ciphers in the server.conf, e.g.
tls-cipher TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
sadly on that page is not written how exactly i can yield that myself... does anyone know?
since TLSv1.0 is SSLv3 and openvpn says it uses OpenSSL
i tried to get that information via OpenSSL, filtering with grep
openssl ciphers -v | grep SSLv3 | grep Kx=DH
but the output is different (for example the word WITH does not show up in that list)
assuming that there is maybe only a difference in the notation i tried to replaced some text with sed
openssl ciphers -v | grep SSLv3 | grep Kx=DH | grep DHE-RSA | sed 's/DHE-RSA/TLS-DHE-RSA-WITH/g' | awk '{print $1}'
prints:
TLS-DHE-RSA-WITH-AES256-SHA
TLS-DHE-RSA-WITH-CAMELLIA256-SHA
TLS-DHE-RSA-WITH-AES128-SHA
TLS-DHE-RSA-WITH-SEED-SHA
TLS-DHE-RSA-WITH-CAMELLIA128-SHA
but this is still not the same as the list on the "Hardening openvpn article" and i am not shure, if that is the right way anyways...
on this site using DHE-RSA-AES256-SHA is encouraged. so, i assume, the safest tls-cipher i can use with openvpn 2.3.2 is TLS-DHE-RSA-WITH-AES-256-CBC-SHA. but that answer is from november 2013. is that still the best choice? somehow this is a different question now. but this is all about finding the safest tls-cipher option.
edit 3 ok, i could exted that openssl-grep-sed command
openssl ciphers -v | grep SSLv3 | grep Kx=DH | grep DHE-RSA | sed 's/DHE-RSA/TLS-DHE-RSA-WITH/g' | sed 's/SHA/CBC-SHA/g'| awk '{print $1}'
prints:
TLS-DHE-RSA-WITH-AES256-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA256-CBC-SHA
TLS-DHE-RSA-WITH-AES128-CBC-SHA
TLS-DHE-RSA-WITH-SEED-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA128-CBC-SHA
now its the same list as in that article without that DES and 3DES entry.
so is this now the right result? becouse this solution is only based on the assumption that there is only a difference in notation between the output of openssl -v command and the openvpn --show-tls command.
edit 4 no sorry, it wasn't the same list as in that article without that DES and 3DES entry.. now it is:
openssl ciphers -v | grep SSLv3 | grep Kx=DH | grep DHE-RSA | sed 's/DHE-RSA/TLS-DHE-RSA-WITH/g' | sed 's/SHA/CBC-SHA/g'| sed 's/AES/AES-/g' | sed 's/CAMELLIA/CAMELLIA-/g' | awk '{print $1}'
prints:
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-SEED-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
but this is a messup up way, isnt it? and it only works this way, if the list of names of the ciphers dont grow.
sorry, if the "question" might be confusing... please comment, thanks a lot if you at least took the time to read this!
I don't think OpenVPN supports ECDHE yet - I have tried OpenVPN 2.3.4 on Debian 8.3 (stable) and 2.3.10 on Debian testing as server, and neither works when tls-cipher is specified with a ECDHE ciphersuite, connecting from a Windows client running 2.3.10. So far only DHE ones work.