Package: openvpn Version: 2.4.7-1 Severity: normal Dear Maintainer,
The version of OpenVPN in Debian buster (2.4.7) seems to be incompatible with the version of OpenSSL (1.1.1a) in Debian buster. This seems to be due to TLS 1.3 support in OpenSSL 1.1.1, which OpenVPN 2.4.7 does not support. This was also reported on the debian-user mailing list [1]. Using this combination will result in the following errors: Mon Sep 3 11:19:34 2018 us=634070 TLS_ERROR: BIO read tls_read_plaintext error Mon Sep 3 11:19:34 2018 us=634074 TLS Error: TLS object -> incoming plaintext read error Mon Sep 3 11:19:34 2018 us=634079 TLS Error: TLS handshake failed and the connection will be closed. A workaround is to add "tls-version-max 1.2" to the OpenVPN config file. I do *believe* that this a client side issue, but it could be a misconfiguration on the server side. Regardless, the error message is pretty vague, and it took me a while to figure out what was going on. [1] https://lists.debian.org/debian-user/2018/09/msg00044.html -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.70 ii iproute2 4.20.0-2 ii libc6 2.28-7 ii liblz4-1 1.8.3-1 ii liblzo2-2 2.10-0.1 ii libpam0g 1.3.1-5 ii libpkcs11-helper1 1.25.1-1 ii libssl1.1 1.1.1a-1 ii libsystemd0 241-1 ii lsb-base 10.2018112800 Versions of packages openvpn recommends: ii easy-rsa 3.0.6-1 Versions of packages openvpn suggests: ii openssl 1.1.1a-1 pn openvpn-systemd-resolved <none> pn resolvconf <none> -- debconf information excluded
