[Pkg-openssl-devel] Bug#912864: openssl: new version of openssl breaks some openvpn clients

James Bottomley James.Bottomley at HansenPartnership.com
Sun Nov 4 16:59:05 GMT 2018 

Package: openssl
Version: 1.1.1-2
Severity: important

I've applied all the downgrades recommended to the openssl.cnf file
and most services are now working again with the exception of openvpn.

The only failure seems to be a VPN connection to an openwrt router.
The router is running Chaos Calmer 15.05 and has an upgraded openssl
(to 1.0.2g-1).

The error is on the debian server side and only shows up at openvpn
extreme verbosity:

Sun Nov  4 08:40:04 2018 us=149552 50.35.68.20:56038 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol

The full verbose negotiation is

Sun Nov  4 08:40:04 2018 us=116122 50.35.68.20:56038 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sun Nov  4 08:40:04 2018 us=116160 50.35.68.20:56038 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Sun Nov  4 08:40:04 2018 us=116243 50.35.68.20:56038 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Nov  4 08:40:04 2018 us=116263 50.35.68.20:56038 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
RSun Nov  4 08:40:04 2018 us=116336 50.35.68.20:56038 TLS: Initial packet from [AF_INET]50.35.68.20:56038, sid=812b650a 26613bfb
WRRWRSun Nov  4 08:40:04 2018 us=149552 50.35.68.20:56038 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Sun Nov  4 08:40:04 2018 us=150331 50.35.68.20:56038 TLS_ERROR: BIO read tls_read_plaintext error
Sun Nov  4 08:40:04 2018 us=150984 50.35.68.20:56038 TLS Error: TLS object -> incoming plaintext read error
Sun Nov  4 08:40:04 2018 us=151598 50.35.68.20:56038 TLS Error: TLS handshake failed
Sun Nov  4 08:40:04 2018 us=152357 50.35.68.20:56038 SIGUSR1[soft,tls-error] received, client-instance restarting

Obviously this was all working with 1.1.0 so something seems to have
changed in the tls negotiation routines.

I can fix this in the client by adding the openssl command
--tls-version-min 1.0 so it probably means, the way openvpn works that
the openssl version installed in openwrt has some strange TLS version
< 1.0 but clearly openssl shouldn't error out when presented with
lower ciphers it should negotiate the mutually acceptable version.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.18.0-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssl depends on:
ii  libc6      2.27-8
ii  libssl1.1  1.1.1-2

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20170717

-- Configuration Files:
/etc/ssl/openssl.cnf changed [not included]

-- no debconf information

More information about the Pkg-openssl-devel mailing list