[Openvpn-devel] Add message explaining early TLS client hello failure

In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
TLS 1.0 only without setting tls-version-min.

We currently log only
OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
which indicates the right technical error but is not very helpful to a
person without deep knowledge in SSL/TLS and OpenVPN's TLS version
history.

This commit adds a hopefully helpful message and also tells users how
to fix the old Debian 8 clients.
---
 src/openvpn/crypto_openssl.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

On 25/09/18 14:48, Arne Schwabe wrote:
> In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
> anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
> TLS 1.0 only without setting tls-version-min.
> 
> We currently log only
> OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
> which indicates the right technical error but is not very helpful to a
> person without deep knowledge in SSL/TLS and OpenVPN's TLS version
> history.
> 
> This commit adds a hopefully helpful message and also tells users how
> to fix the old Debian 8 clients.
> ---
>  src/openvpn/crypto_openssl.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index 9ec2048d..3360bb19 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -199,7 +199,15 @@ crypto_print_openssl_errors(const unsigned int flags)
>                  "in common with the client. Your --tls-cipher setting might be "
>                  "too restrictive.");
>          }
> -
> +        else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
> +        {
> +            msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically "
> +                 "indicates that client and server have no common TLS version enabled. "
> +                 "This can be caused mismatched tls-version-min and tls-version-max options "
> +                 "on client and server. "
> +                 "If your client is 2.3.6 or older  consider adding tls-version 1.1"
> +                 "to the the configuration to use TLS 1.1+ instead of TLS 1.0 only");


Good advice in the log.  But should this be added in the local or remote
configuration?  It is the 2.3.6 reference which makes it confusing for me,
otherwise I would have interpreted this as the local side where this warning
occurs.  So this could be clearer.

I also think this should be mentioned in the man page as well.

And a little nitpick ... the version reference should be either "OpenVPN
2.3.6" or "v2.3.6", as discussed here:
<https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15260.html>

Grammar check by tincantech (my new role)


On 25/09/18 13:48, Arne Schwabe wrote:
> In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
> anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
> TLS 1.0 only without setting tls-version-min.
> 
> We currently log only
> OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
> which indicates the right technical error but is not very helpful to a
> person without deep knowledge in SSL/TLS and OpenVPN's TLS version
> history.
> 
> This commit adds a hopefully helpful message and also tells users how
> to fix the old Debian 8 clients.
> ---
>   src/openvpn/crypto_openssl.c | 10 +++++++++-
>   1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index 9ec2048d..3360bb19 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -199,7 +199,15 @@ crypto_print_openssl_errors(const unsigned int flags)
>                   "in common with the client. Your --tls-cipher setting might be "
>                   "too restrictive.");
>           }
> -
> +        else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
> +        {
> +            msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically "
> +                 "indicates that client and server have no common TLS version enabled. "
> +                 "This can be caused mismatched tls-version-min and tls-version-max options "

This can be caused *by*

> +                 "on client and server. "

this could be removed as it is implicit anyway.

> +                 "If your client is 2.3.6 or older  consider adding tls-version 1.1"

older":space::space:"consider ... missing :space: at EOL.

> +                 "to the the configuration to use TLS 1.1+ instead of TLS 1.0 only");
> +        }
>           msg(flags, "OpenSSL: %s", ERR_error_string(err, NULL));
>       }
>   }
>

On 25-09-18 14:48, Arne Schwabe wrote:
> +                 "If your client is 2.3.6 or older  consider adding tls-version 1.1"
> +                 "to the the configuration to use TLS 1.1+ instead of TLS 1.0 only");

Don't you mean "adding tls-version-min 1.0 to the configuration to use
TLS 1.0+ instead of TLS 1.0 only." ?

Note both the -min postfix, and the use of 1.0 instead of 1.1.  I'd
expect that people that have such old clients around might even have
pre-2.3.2 clients, which only support TLS 1.0.  Those would not work
when setting tls-version-min 1.1 at the other end.

-Steffan

Am 25.09.18 um 16:31 schrieb David Sommerseth:
> On 25/09/18 14:48, Arne Schwabe wrote:
>> In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
>> anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
>> TLS 1.0 only without setting tls-version-min.
>>
>> We currently log only
>> OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
>> which indicates the right technical error but is not very helpful to a
>> person without deep knowledge in SSL/TLS and OpenVPN's TLS version
>> history.
>>
>> This commit adds a hopefully helpful message and also tells users how
>> to fix the old Debian 8 clients.
>> ---
>>  src/openvpn/crypto_openssl.c | 10 +++++++++-
>>  1 file changed, 9 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
>> index 9ec2048d..3360bb19 100644
>> --- a/src/openvpn/crypto_openssl.c
>> +++ b/src/openvpn/crypto_openssl.c
>> @@ -199,7 +199,15 @@ crypto_print_openssl_errors(const unsigned int flags)
>>                  "in common with the client. Your --tls-cipher setting might be "
>>                  "too restrictive.");
>>          }
>> -
>> +        else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
>> +        {
>> +            msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically "
>> +                 "indicates that client and server have no common TLS version enabled. "
>> +                 "This can be caused mismatched tls-version-min and tls-version-max options "
>> +                 "on client and server. "
>> +                 "If your client is 2.3.6 or older  consider adding tls-version 1.1"
>> +                 "to the the configuration to use TLS 1.1+ instead of TLS 1.0 only");
> 
> 
> Good advice in the log.  But should this be added in the local or remote
> configuration?  It is the 2.3.6 reference which makes it confusing for me,
> otherwise I would have interpreted this as the local side where this warning
> occurs.  So this could be clearer.

2.3.7 is the first version of OpenVPN which enables TLS 1.0+ instead TLS
1.0 only by default. See this commit by Steffan:

https://github.com/OpenVPN/openvpn/commit/8dc6ed28941cb9b9167e0b466e96b5f11359eb59

> 
> I also think this should be mentioned in the man page as well.

Hm, I am not sure what you want put into the manpage. That mismatching
tls-version breaks things? That should be obvious. Documenting the old
2.3.x behaviour of tls version in current man page does not seem to be a
good idea either.

Arne

Hi,

On 26/09/18 06:19, Arne Schwabe wrote:
> Am 25.09.18 um 16:31 schrieb David Sommerseth:
>> On 25/09/18 14:48, Arne Schwabe wrote:
>>> In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
>>> anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
>>> TLS 1.0 only without setting tls-version-min.
>>>
>>> We currently log only
>>> OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
>>> which indicates the right technical error but is not very helpful to a
>>> person without deep knowledge in SSL/TLS and OpenVPN's TLS version
>>> history.
>>>
>>> This commit adds a hopefully helpful message and also tells users how
>>> to fix the old Debian 8 clients.
>>> ---
>>>  src/openvpn/crypto_openssl.c | 10 +++++++++-
>>>  1 file changed, 9 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
>>> index 9ec2048d..3360bb19 100644
>>> --- a/src/openvpn/crypto_openssl.c
>>> +++ b/src/openvpn/crypto_openssl.c
>>> @@ -199,7 +199,15 @@ crypto_print_openssl_errors(const unsigned int flags)
>>>                  "in common with the client. Your --tls-cipher setting might be "
>>>                  "too restrictive.");
>>>          }
>>> -
>>> +        else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
>>> +        {
>>> +            msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically "
>>> +                 "indicates that client and server have no common TLS version enabled. "
>>> +                 "This can be caused mismatched tls-version-min and tls-version-max options "
>>> +                 "on client and server. "
>>> +                 "If your client is 2.3.6 or older  consider adding tls-version 1.1"
>>> +                 "to the the configuration to use TLS 1.1+ instead of TLS 1.0 only");
>>
>>
>> Good advice in the log.  But should this be added in the local or remote
>> configuration?  It is the 2.3.6 reference which makes it confusing for me,
>> otherwise I would have interpreted this as the local side where this warning
>> occurs.  So this could be clearer.
> 
> 2.3.7 is the first version of OpenVPN which enables TLS 1.0+ instead TLS
> 1.0 only by default. See this commit by Steffan:
> 
> https://github.com/OpenVPN/openvpn/commit/8dc6ed28941cb9b9167e0b466e96b5f11359eb59
> 

I think the problem is: we apply this patch to the latest 2.3.x release,
so it will never appear on "2.3.6 or older" clients.
Hence, does it really make sense to print that particular sentence?


Cheers,

Am 26.09.18 um 08:52 schrieb Antonio Quartulli:
> Hi,
> 
> On 26/09/18 06:19, Arne Schwabe wrote:
>> Am 25.09.18 um 16:31 schrieb David Sommerseth:
>>> On 25/09/18 14:48, Arne Schwabe wrote:
>>>> In my tests an OpenSSL 1.1.1 server does not accept TLS 1.0 only clients
>>>> anymore. Unfortunately, Debian 8 still has OpenVPN 2.3.4, which is
>>>> TLS 1.0 only without setting tls-version-min.
>>>>
>>>> We currently log only
>>>> OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
>>>> which indicates the right technical error but is not very helpful to a
>>>> person without deep knowledge in SSL/TLS and OpenVPN's TLS version
>>>> history.
>>>>
>>>> This commit adds a hopefully helpful message and also tells users how
>>>> to fix the old Debian 8 clients.
>>>> ---
>>>>  src/openvpn/crypto_openssl.c | 10 +++++++++-
>>>>  1 file changed, 9 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
>>>> index 9ec2048d..3360bb19 100644
>>>> --- a/src/openvpn/crypto_openssl.c
>>>> +++ b/src/openvpn/crypto_openssl.c
>>>> @@ -199,7 +199,15 @@ crypto_print_openssl_errors(const unsigned int flags)
>>>>                  "in common with the client. Your --tls-cipher setting might be "
>>>>                  "too restrictive.");
>>>>          }
>>>> -
>>>> +        else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
>>>> +        {
>>>> +            msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically "
>>>> +                 "indicates that client and server have no common TLS version enabled. "
>>>> +                 "This can be caused by mismatched tls-version-min and tls-version-max options "
>>>> +                 "on client and server. "
>>>> +                 "If your client is 2.3.6 or older  consider adding tls-version 1.1"
>>>> +                 "to the the configuration to use TLS 1.1+ instead of TLS 1.0 only");
>>>
>>>
>>> Good advice in the log.  But should this be added in the local or remote
>>> configuration?  It is the 2.3.6 reference which makes it confusing for me,
>>> otherwise I would have interpreted this as the local side where this warning
>>> occurs.  So this could be clearer.
>>
>> 2.3.7 is the first version of OpenVPN which enables TLS 1.0+ instead TLS
>> 1.0 only by default. See this commit by Steffan:
>>
>> https://github.com/OpenVPN/openvpn/commit/8dc6ed28941cb9b9167e0b466e96b5f11359eb59
>>
> 
> I think the problem is: we apply this patch to the latest 2.3.x release,
> so it will never appear on "2.3.6 or older" clients.
> Hence, does it really make sense to print that particular sentence?

This appears in the server log when a 2.3.6 client or older tries to
connect to a server that has OpenSSL 1.1.1.

I am not sure that OpenVPN 2.3.x has OpenSSL 1.1 support.

Arne