Bug#1012075: marked as done (openvpn: OpenVPN - Debian/SID release '2.6.0~git20220518+dco-1' breaks connection buildup)

Wed, 28 Dec 2022 14:03:17 -0800 

Your message dated Wed, 28 Dec 2022 23:01:30 +0100
with message-id <y6y8upnenynlx...@fliwatuet.svr02.mucip.net>
and subject line Re: Bug#1012075: openvpn: OpenVPN - Debian/SID release 
'2.6.0~git20220518+dco-1' breaks connection buildup
has caused the Debian Bug report #1012075,
regarding openvpn: OpenVPN - Debian/SID release '2.6.0~git20220518+dco-1' 
breaks connection buildup
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1012075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012075
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: openvpn
Version: 2.5.6-1
Severity: important

Dear Debian OpenVPN Maintenaner,

This is a pretty serious bug as it breaks the usage of VPN.

The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1'
won't connect due to TLS errors during connection attempts.
Only downgrade to version '2.5.6-1' solves the issue.

I had to blur some characters like IP adresses. Destination is Sophos UTM
Appliances.

I attached a textfile which compare both outputs of each release.

Best regards,
Henrik


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.79
ii  iproute2               5.17.0-2
ii  libc6                  2.33-7
ii  liblz4-1               1.9.3-2
ii  liblzo2-2              2.10-2
ii  libpam0g               1.4.0-13
ii  libpkcs11-helper1      1.28-1+b1
ii  libssl1.1              1.1.1o-1
ii  libsystemd0            251.1-1
ii  lsb-base               11.2

Versions of packages openvpn recommends:
ii  easy-rsa  3.0.8-1

Versions of packages openvpn suggests:
ii  openssl                   3.0.3-5
pn  openvpn-systemd-resolved  <none>
pn  resolvconf                <none>

-- debconf information:
  openvpn/create_tun: false

Output latest OpenVPN Debian/SID release '2.6.0~git20220518+dco-1' in repo - 
This version doesn't connect to destination !


root@debian:/home/henrik/Downloads# openvpn hschoepel@ssl_vpn_config.ovpn
2022-05-29 19:07:47 WARNING: Compression for receiving enabled. Compression has 
been used in the past to break encryption. Sent packets are not compressed 
unless "allow-compression yes" is also set.
2022-05-29 19:07:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but 
missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN 
ignores --cipher for cipher negotiations. 
2022-05-29 19:07:47 Cannot find ovpn_dco netlink component: Object not found
2022-05-29 19:07:47 Note: Kernel support for ovpn-dco missing, disabling data 
channel offload.
2022-05-29 19:07:47 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] 
[LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 20 2022
2022-05-29 19:07:47 library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10
Enter Auth Username: hschoepel
🔐 Enter Auth Password: ******                  
2022-05-29 19:08:08 TCP/UDP: Preserving recently used remote address: 
[AF_INET]*********:8443
2022-05-29 19:08:08 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-05-29 19:08:08 Attempting to establish TCP connection with 
[AF_INET]*********:8443
2022-05-29 19:08:08 TCP connection established with [AF_INET]*********:8443
2022-05-29 19:08:08 Note: enable extended error passing on TCP/UDP socket 
failed (IPV6_RECVERR): Protocol not available (errno=92)
2022-05-29 19:08:08 TCP_CLIENT link local: (not bound)
2022-05-29 19:08:08 TCP_CLIENT link remote: [AF_INET]*********:8443
2022-05-29 19:08:08 TLS: Initial packet from [AF_INET]*********.35:8443, 
sid=2a3742bf 758117bf
2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically indicates 
that client and server have no common TLS version enabled. This can be caused 
by mismatched tls-version-min and tls-version-max options on client and server. 
If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 
1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2022-05-29 19:08:08 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-29 19:08:08 TLS Error: TLS object -> incoming plaintext read error
2022-05-29 19:08:08 TLS Error: TLS handshake failed
2022-05-29 19:08:08 Fatal TLS error (check_tls_errors_co), restarting
2022-05-29 19:08:08 SIGUSR1[soft,tls-error] received, process restarting
2022-05-29 19:08:08 Restart pause, 5 second(s)
2022-05-29 19:08:13 TCP/UDP: Preserving recently used remote address: 
[AF_INET]*********:8443
2022-05-29 19:08:13 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-05-29 19:08:13 Attempting to establish TCP connection with 
[AF_INET]*********:8443
2022-05-29 19:08:13 TCP connection established with [AF_INET]*********:8443
2022-05-29 19:08:13 Note: enable extended error passing on TCP/UDP socket 
failed (IPV6_RECVERR): Protocol not available (errno=92)
2022-05-29 19:08:13 TCP_CLIENT link local: (not bound)
2022-05-29 19:08:13 TCP_CLIENT link remote: [AF_INET]*********:8443
2022-05-29 19:08:13 TLS: Initial packet from [AF_INET]*********:8443, 
sid=eceadd8a 6679da5c
2022-05-29 19:08:13 TLS error: Unsupported protocol. This typically indicates 
that client and server have no common TLS version enabled. This can be caused 
by mismatched tls-version-min and tls-version-max options on client and server. 
If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 
1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2022-05-29 19:08:13 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2022-05-29 19:08:13 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-29 19:08:13 TLS Error: TLS object -> incoming plaintext read error
2022-05-29 19:08:13 TLS Error: TLS handshake failed
2022-05-29 19:08:13 Fatal TLS error (check_tls_errors_co), restarting
2022-05-29 19:08:13 SIGUSR1[soft,tls-error] received, process restarting
2022-05-29 19:08:13 Restart pause, 5 second(s)




Output OpenVPN Debian/SID release '2.6.0~git20220518+dco-1' - This version 
connects just fine to destination !


root@debian:/home/henrik/Downloads# openvpn hschoepel@ssl_vpn_config.ovpn 
2022-05-29 19:13:41 WARNING: Compression for receiving enabled. Compression has 
been used in the past to break encryption. Sent packets are not compressed 
unless "allow-compression yes" is also set.
2022-05-29 19:13:41 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but 
missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version 
will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to 
--data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 
'AES-256-CBC' to silence this warning.
2022-05-29 19:13:41 OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] 
[LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 20 2022
2022-05-29 19:13:41 library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
Enter Auth Username: hschoepel
🔐 Enter Auth Password: ****************        
2022-05-29 19:14:09 TCP/UDP: Preserving recently used remote address: 
[AF_INET]*********:8443
2022-05-29 19:14:09 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-05-29 19:14:09 Attempting to establish TCP connection with 
[AF_INET]*********:8443 [nonblock]
2022-05-29 19:14:09 TCP connection established with [AF_INET]*********:8443
2022-05-29 19:14:09 TCP_CLIENT link local: (not bound)
2022-05-29 19:14:09 TCP_CLIENT link remote: [AF_INET]*********:8443
2022-05-29 19:14:09 TLS: Initial packet from [AF_INET]*********:8443, 
sid=35f93a56 414d6e12
2022-05-29 19:14:09 VERIFY OK: depth=1, C=DE, ST=*********, L=*********, 
O=*********, OU=OU, CN=Sophos_CA_C51028TQFXXK621, emailAddress=*********
2022-05-29 19:14:09 VERIFY X509NAME OK: C=DE, ST=*********, L=*********, 
O=*********, OU=OU, CN=SophosApplianceCertificate_C51028TQFXXK621, 
emailAddress=*********
2022-05-29 19:14:09 VERIFY OK: depth=0, C=DE, ST=MV, L=Schwerin, O=Datagroup 
Bremen, OU=OU, CN=SophosApplianceCertificate_C51028TQFXXK621, 
emailAddress=*********
2022-05-29 19:14:10 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 
peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-05-29 19:14:10 [SophosApplianceCertificate_C51028TQFXXK621] Peer 
Connection Initiated with [AF_INET]*********:8443
2022-05-29 19:14:11 SENT CONTROL [SophosApplianceCertificate_C51028TQFXXK621]: 
'PUSH_REQUEST' (status=1)
2022-05-29 19:14:16 SENT CONTROL [SophosApplianceCertificate_C51028TQFXXK621]: 
'PUSH_REQUEST' (status=1)
2022-05-29 19:14:16 PUSH: Received control message: 'PUSH_REPLY,route-gateway 
......




Couldn't find any simmilar up2date bug reports via Google related to OpenVPN on 
Debian/SID. 

Greetings,
Henrik

--- End Message ---
--- Begin Message --- 
Version: 2.6.0~git20221201-1

On 24/07/22 01:01 AM, Mikhail Arefiev wrote:

> However this unfortunately very deprecated setting still works just fine with 
> 2.5.1-3.  I also reported TLS 1.0 to the service provider

We have added as much information as possible regarding deprecated
options and ciphers to the debian/NEWS file as of 2.6.0~git20221201-1

---
openvpn (2.6.0~git20221201-1) unstable; urgency=medium

    OpenVPN 2.6 has changed several defaults that might lead to connection
    problems, especially when the remote side runs an old OpenVPN version
    or cipher negotiations (NCP) are not in effect. This especially affects
    connecting to OpenVPN 2.3.x or earlier, and several limitations around
    old cryptographic algorithms and keys, mostly caused by the switch to
    OpenSSL 3.0

    These include but are not limited to

    - weak SHA1 or MD5 signature on certificates
    - 1024 bit RSA certificates, 1024 bit DH parameters, other weak keys
    - Use of a legacy or deprecated cipher (e.g. 64bit block ciphers)
    - remote OpenVPN version not supporting TLS 1.2 or later

    Please read the release notes installed as
    /usr/share/doc/openvpn/changelog.gz.

    With an optional kernel module (available as package openvpn-dco-dkms)
    the data plane encryption/decryption is performed in kernel space,
    reducing page copy overhead and increasing the throughput significantly.
    DCO (Data Channel Offload) should work with most configurations. In
    case of issues, please try running OpenVPN with --disable-dco first.

 -- Bernhard Schmidt <be...@debian.org>  Mon, 23 May 2022 11:04:30 +0200
---

it is unlikely that anything more can be done to support really really old
peers with OpenVPN 2.6 and especially OpenSSL 3.0

Bernhard

--- End Message ---

Reply via email to