New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.6 client cannot connect to old 2.2 and 2.1 server #348
Comments
Hi. First of all, 2.1 and 2.2 are really really ancient, and the available crypto in these old versions (TLS 1.0, BF-CBC, MD5 auth, ...) are not considered secure by modern standards. Also, there is much nice stuff in 2.6 for the server side, so you really really should update. This said, the problem here is that the OpenSSL 3.x library refuses to load one of the required algorithms - OpenSSL has become much more strict in what is considered acceptable. Please try one of the following options, or possibly both, to tell OpenSSL/OpenVPN "yes I know but I can't fix it today":
it might be possible to arm-twist OpenVPN into compatibility by setting
which will take care of all the BF-CBC related configs, but I'm not sure it will auto-load the "legacy" OpenSSL provider which might be needed (MD5, SHA1) |
Thanks @cron2 I had to use all three options together to get it working:
Thanks for the hint with the I assume this could be added to https://community.openvpn.net/openvpn/wiki/CipherNegotiation or some other "compatibility" page? Btw, I wanted to see the options manually instead of using |
@kosli this is not related to Cipher negotiation as that only describes data channel ciphers. Your issue is with TLS. That has a lot more to do with old OpenSSL version and TLS versions. Any other old OpenSSL and newer OpenSSL version will have the same problems. The manpage section documents the option quite well and also points out the options that it sets. |
Thanks @schwabe , you are right. |
Describe the bug
I have upgraded a windows client to the latest 2.6.4 OpenVPN version (and also tried with 2.6.3 and 2.6.0) and tried to connect to some legacy OpenVPN servers running version 2.2.1.
To Reproduce
The OpenVPN 2.2.1 server.conf has the following basic configuration:
The OpenVPN 2.6.4 client.conf has the following basic configuration:
Client log:
Expected behavior
I would expect the client to connect with the server, the same way as a OpenVPN 2.5.9 client can connect to the above server.
What looks weird to me is the following line in the log
SSL routines::legacy sigalg disallowed or unsupported
. Especially the typo in sigalg.I had tried changing the cipher to AES-128-CBC on both sides but that doesn't make a difference. Even setting
cipher none
didn't help.It looks more like an OpenSSL problem somewhere, but I don't know where to look at.
Until version 2.5.9 it was enough to have the line
data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC
in the configuration to connect to the old servers using the BF-CBC by defaultThe text was updated successfully, but these errors were encountered: