In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
TLS 1.0 only without setting tls-version-min.
We currently log only
OpenSSL: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
which indicates the right technical error but is not very helpful to a
person without deep knowledge in SSL/TLS and OpenVPN's TLS version
history.
This commit adds a hopefully helpful message and also tells users how
to fix the old Debian 8 clients. The error message will be displayed on
the server side only.
Note that connecting with an OpenSSL 1.1.1 client to a TLS 1.0 only
server works fine.
This behaviour is also not specific to OpenVPN. Using an openssl s_client
with the -tls1 option against an openssl s_server exhibits the same
behaviour.
Patch V2: fixed message grammar, use tls-version-min 1.0 and clarify
2.3.6 and older to be actually between 2.3.2 and 2.3.6
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20180926120159.19874-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17491.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
... | ... |
@@ -199,7 +199,16 @@ crypto_print_openssl_errors(const unsigned int flags) |
199 | 199 |
"in common with the client. Your --tls-cipher setting might be " |
200 | 200 |
"too restrictive."); |
201 | 201 |
} |
202 |
- |
|
202 |
+ else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL) |
|
203 |
+ { |
|
204 |
+ msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically " |
|
205 |
+ "indicates that client and server have no common TLS version enabled. " |
|
206 |
+ "This can be caused by mismatched tls-version-min and tls-version-max " |
|
207 |
+ "options on client and server. " |
|
208 |
+ "If your OpenVPN client is between v2.3.6 and v2.3.2 try adding " |
|
209 |
+ "tls-version-min 1.0 to the client configuration to use TLS 1.0+ " |
|
210 |
+ "instead of TLS 1.0 only"); |
|
211 |
+ } |
|
203 | 212 |
msg(flags, "OpenSSL: %s", ERR_error_string(err, NULL)); |
204 | 213 |
} |
205 | 214 |
} |