[Pkg-utopia-maintainers] Bug#933177: network-manager-openvpn: unable to connect after upgrade to buster due to new OpenSSL minimum TLS version
Nis Martensen
nis.martensen at web.de
Sat Jul 27 11:10:03 BST 2019
Package: network-manager-openvpn
Version: 1.8.10-1
Severity: normal
Dear Maintainer,
After upgrading my laptop to buster I could no longer connect to the one
remote VPN server I need. This is caused by OpenSSL now disabling TLS
version 1.0 and 1.1 by default.
The system log provided a helpful error message:
nm-openvpn[4327]: TLS error: Unsupported protocol. This typically
indicates that client and server have no common TLS version enabled.
This can be caused by mismatched tls-version-min and tls-version-max
options on client and server. If your OpenVPN client is between v2.3.6
and v2.3.2 try adding tls-version-min 1.0 to the client configuration
to use TLS 1.0+ instead of TLS 1.0 only
nm-openvpn[4327]: OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
nm-openvpn[4327]: TLS_ERROR: BIO read tls_read_plaintext error
nm-openvpn[4327]: TLS Error: TLS object -> incoming plaintext read error
nm-openvpn[4327]: TLS Error: TLS handshake failed
nm-openvpn[4327]: Fatal TLS error (check_tls_errors_co), restarting
nm-openvpn[4327]: SIGUSR1[soft,tls-error] received, process restarting
A websearch suggested two possible ways of fixing the problem:
https://stackoverflow.com/questions/53058362/openssl-v1-1-1-ssl-choose-client-version-unsupported-protocol
(a) configuring the VPN client to allow TLS version 1.0
(b) adjusting the system-wide OpenSSL MinProtocol setting
The first option unfortunately does not work, as there seems to be no
way to configure this. Setting tls-version-min in my .ovpn file before
importing it into network-manager does not change anything, it seems
this configuration option is silently ignored.
The second option works, but is not a preferable solution since TLS
versions 1.0 and 1.1 have been disabled by default for a reason.
So - is there a way I have missed to configure a minimum TLS version for
the VPN connection that is different from the OpenSSL system default?
If not, is it a known limitation that the "tls-version-min" option is
not imported or is it a bug?
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=da_DK.UTF-8, LC_CTYPE=da_DK.UTF-8 (charmap=UTF-8), LANGUAGE=da_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages network-manager-openvpn depends on:
ii adduser 3.118
ii libc6 2.28-10
ii libglib2.0-0 2.58.3-2
ii libnm0 1.14.6-2
ii network-manager 1.14.6-2
ii openvpn 2.4.7-1
network-manager-openvpn recommends no packages.
network-manager-openvpn suggests no packages.
-- no debconf information
More information about the Pkg-utopia-maintainers
mailing list