[Pkg-utopia-maintainers] Bug#933177: network-manager-openvpn: unable to connect after upgrade to buster due to new OpenSSL minimum TLS version

Nis Martensen nis.martensen at web.de
Sat Jul 27 11:10:03 BST 2019 

Package: network-manager-openvpn
Version: 1.8.10-1
Severity: normal

Dear Maintainer,

After upgrading my laptop to buster I could no longer connect to the one
remote VPN server I need.  This is caused by OpenSSL now disabling TLS
version 1.0 and 1.1 by default.

The system log provided a helpful error message:

nm-openvpn[4327]: TLS error: Unsupported protocol. This typically
  indicates that client and server have no common TLS version enabled.
  This can be caused by mismatched tls-version-min and tls-version-max
  options on client and server. If your OpenVPN client is between v2.3.6
  and v2.3.2 try adding tls-version-min 1.0 to the client configuration
  to use TLS 1.0+ instead of TLS 1.0 only
nm-openvpn[4327]: OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
nm-openvpn[4327]: TLS_ERROR: BIO read tls_read_plaintext error
nm-openvpn[4327]: TLS Error: TLS object -> incoming plaintext read error
nm-openvpn[4327]: TLS Error: TLS handshake failed
nm-openvpn[4327]: Fatal TLS error (check_tls_errors_co), restarting
nm-openvpn[4327]: SIGUSR1[soft,tls-error] received, process restarting


A websearch suggested two possible ways of fixing the problem:
https://stackoverflow.com/questions/53058362/openssl-v1-1-1-ssl-choose-client-version-unsupported-protocol

 (a) configuring the VPN client to allow TLS version 1.0
 (b) adjusting the system-wide OpenSSL MinProtocol setting

The first option unfortunately does not work, as there seems to be no
way to configure this. Setting tls-version-min in my .ovpn file before
importing it into network-manager does not change anything, it seems
this configuration option is silently ignored.

The second option works, but is not a preferable solution since TLS
versions 1.0 and 1.1 have been disabled by default for a reason.


So - is there a way I have missed to configure a minimum TLS version for
the VPN connection that is different from the OpenSSL system default?
If not, is it a known limitation that the "tls-version-min" option is
not imported or is it a bug?


-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=da_DK.UTF-8, LC_CTYPE=da_DK.UTF-8 (charmap=UTF-8), LANGUAGE=da_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages network-manager-openvpn depends on:
ii  adduser          3.118
ii  libc6            2.28-10
ii  libglib2.0-0     2.58.3-2
ii  libnm0           1.14.6-2
ii  network-manager  1.14.6-2
ii  openvpn          2.4.7-1

network-manager-openvpn recommends no packages.

network-manager-openvpn suggests no packages.

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list