| 2014-10-26 11:09:08 |
Haw Loeung |
bug |
|
|
added bug |
| 2014-10-26 11:09:22 |
Haw Loeung |
bug |
|
|
added subscriber The Canonical Sysadmins |
| 2014-10-26 11:10:30 |
Haw Loeung |
nominated for series |
|
Ubuntu Trusty |
|
| 2014-10-26 11:10:30 |
Haw Loeung |
bug task added |
|
openvpn (Ubuntu Trusty) |
|
| 2014-10-26 11:10:30 |
Haw Loeung |
nominated for series |
|
Ubuntu Utopic |
|
| 2014-10-26 11:10:30 |
Haw Loeung |
bug task added |
|
openvpn (Ubuntu Utopic) |
|
| 2014-10-26 11:10:42 |
Haw Loeung |
nominated for series |
|
Ubuntu Vivid |
|
| 2014-10-26 11:10:42 |
Haw Loeung |
bug task added |
|
openvpn (Ubuntu Vivid) |
|
| 2014-10-26 11:12:46 |
Haw Loeung |
description |
Hi Guys,
Seems the version of OpenVPN we're carrying only supports and/or is able to negotiate TLS v1.0. The patch below has landed in OpenVPN 2.3.3 and replaces TLSv1_server_method() calls with SSLv23_client_method().
https://github.com/OpenVPN/openvpn/commit/4b67f9849ab3efe89268e01afddc7795f38d0f64
Could we please consider either packaging >= 2.3.3 or backporting this patch?
Thanks,
Haw |
Hi Guys,
Seems the version of OpenVPN we're carrying only supports and/or is able to negotiate TLS v1.0. The patch below has landed in OpenVPN 2.3.3 and replaces TLSv1_server_method() calls with SSLv23_client_method().
https://github.com/OpenVPN/openvpn/commit/4b67f9849ab3efe89268e01afddc7795f38d0f64
E.g., when OpenVPN tls-ciphers is configured with TLS v1.2 ciphers:
| tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
Logs shows negotiating at TLS v1.0:
| Oct 26 21:58:47 ragnar ovpn-canonical[19470]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES128-SHA, 2048 bit RSA
Could we please consider either packaging >= 2.3.3 or backporting this patch?
Thanks,
Haw |
|
| 2014-10-26 11:13:21 |
Haw Loeung |
bug task deleted |
openvpn (Ubuntu Vivid) |
|
|
| 2014-10-26 11:19:16 |
Haw Loeung |
description |
Hi Guys,
Seems the version of OpenVPN we're carrying only supports and/or is able to negotiate TLS v1.0. The patch below has landed in OpenVPN 2.3.3 and replaces TLSv1_server_method() calls with SSLv23_client_method().
https://github.com/OpenVPN/openvpn/commit/4b67f9849ab3efe89268e01afddc7795f38d0f64
E.g., when OpenVPN tls-ciphers is configured with TLS v1.2 ciphers:
| tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
Logs shows negotiating at TLS v1.0:
| Oct 26 21:58:47 ragnar ovpn-canonical[19470]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES128-SHA, 2048 bit RSA
Could we please consider either packaging >= 2.3.3 or backporting this patch?
Thanks,
Haw |
Hi Guys,
Seems the version of OpenVPN we're carrying only supports and/or is able to negotiate TLS v1.0. The patch below has landed in upstream OpenVPN 2.3.3 and replaces TLSv1_server_method() calls with SSLv23_client_method().
https://github.com/OpenVPN/openvpn/commit/4b67f9849ab3efe89268e01afddc7795f38d0f64
For example, when OpenVPN tls-ciphers is configured with TLS v1.2 ciphers:
| tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
Logs shows negotiating at TLS v1.0:
| Oct 26 21:58:47 ragnar ovpn-canonical[19470]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES128-SHA, 2048 bit RSA
When TLS v1.1 and/or v1.2 ciphers are only specified, sessions fail:
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS object -> incoming plaintext read error
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS handshake failed
| Oct 26 21:58:31 ragnar ovpn-canonical[19470]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=eca7ea6c 067ea30f
Could we please consider either packaging >= 2.3.3 or backporting this patch?
Thanks,
Haw |
|
| 2014-10-26 11:40:46 |
Haw Loeung |
bug |
|
|
added subscriber Canonical WebOps |
| 2014-10-27 05:25:59 |
Launchpad Janitor |
openvpn (Ubuntu): status |
New |
Confirmed |
|
| 2014-10-27 05:25:59 |
Launchpad Janitor |
openvpn (Ubuntu Trusty): status |
New |
Confirmed |
|
| 2014-10-27 05:25:59 |
Launchpad Janitor |
openvpn (Ubuntu Utopic): status |
New |
Confirmed |
|
| 2014-10-27 14:54:16 |
Simon Déziel |
bug |
|
|
added subscriber Simon Déziel |
| 2014-10-28 01:12:28 |
Haw Loeung |
tags |
|
trusty utopic |
|
| 2014-10-28 01:17:25 |
Haw Loeung |
attachment added |
|
https://github.com/OpenVPN/openvpn/commit/4b67f9849ab3efe89268e01afddc7795f38d0f64 https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1385851/+attachment/4246696/+files/4b67f9849ab3efe89268e01afddc7795f38d0f64.patch |
|
| 2014-10-28 01:18:31 |
Haw Loeung |
tags |
trusty utopic |
patch-accepted-upstream trusty utopic |
|
| 2014-11-19 23:17:35 |
Alberto Salvia Novella |
openvpn (Ubuntu): importance |
Undecided |
Medium |
|
| 2014-11-19 23:17:39 |
Alberto Salvia Novella |
openvpn (Ubuntu Trusty): importance |
Undecided |
Medium |
|
| 2014-11-19 23:17:41 |
Alberto Salvia Novella |
openvpn (Ubuntu Utopic): importance |
Undecided |
Medium |
|
| 2014-12-27 03:19:03 |
Haw Loeung |
nominated for series |
|
Ubuntu Vivid |
|
| 2014-12-27 03:19:03 |
Haw Loeung |
bug task added |
|
openvpn (Ubuntu Vivid) |
|
| 2015-08-25 14:42:18 |
Simon Déziel |
openvpn (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2015-08-26 01:37:32 |
Haw Loeung |
description |
Hi Guys,
Seems the version of OpenVPN we're carrying only supports and/or is able to negotiate TLS v1.0. The patch below has landed in upstream OpenVPN 2.3.3 and replaces TLSv1_server_method() calls with SSLv23_client_method().
https://github.com/OpenVPN/openvpn/commit/4b67f9849ab3efe89268e01afddc7795f38d0f64
For example, when OpenVPN tls-ciphers is configured with TLS v1.2 ciphers:
| tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
Logs shows negotiating at TLS v1.0:
| Oct 26 21:58:47 ragnar ovpn-canonical[19470]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES128-SHA, 2048 bit RSA
When TLS v1.1 and/or v1.2 ciphers are only specified, sessions fail:
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS object -> incoming plaintext read error
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS handshake failed
| Oct 26 21:58:31 ragnar ovpn-canonical[19470]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=eca7ea6c 067ea30f
Could we please consider either packaging >= 2.3.3 or backporting this patch?
Thanks,
Haw |
Hi Guys,
Seems the version of OpenVPN we're carrying only supports and/or is able to negotiate TLS v1.0. The patch below has landed in upstream OpenVPN 2.3.3 and replaces TLSv1_server_method() calls with SSLv23_server_method() and TLSv1_client_method() with SSLv23_client_method().
https://github.com/OpenVPN/openvpn/commit/4b67f9849ab3efe89268e01afddc7795f38d0f64
For example, when OpenVPN tls-ciphers is configured with TLS v1.2 ciphers:
| tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
Logs shows negotiating at TLS v1.0:
| Oct 26 21:58:47 ragnar ovpn-canonical[19470]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES128-SHA, 2048 bit RSA
When TLS v1.1 and/or v1.2 ciphers are only specified, sessions fail:
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS object -> incoming plaintext read error
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS handshake failed
| Oct 26 21:58:31 ragnar ovpn-canonical[19470]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=eca7ea6c 067ea30f
Could we please consider either packaging >= 2.3.3 or backporting this patch?
Thanks,
Haw |
|
| 2016-04-24 10:44:28 |
Rolf Leggewie |
openvpn (Ubuntu Utopic): status |
Confirmed |
Won't Fix |
|
| 2017-09-30 20:13:27 |
Andreas Hasenack |
openvpn (Ubuntu Vivid): status |
Confirmed |
Won't Fix |
|
