Ubuntu
openvpn package

OpenVPN only supports TLS v1.0

Bug #1385851 reported by Haw Loeung on 2014-10-26
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Fix Released
Medium
Unassigned
Trusty
Confirmed
Medium
Unassigned
Utopic
Won't Fix
Medium
Unassigned
Vivid
Won't Fix
Medium
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Hi Guys,

Seems the version of OpenVPN we're carrying only supports and/or is able to negotiate TLS v1.0. The patch below has landed in upstream OpenVPN 2.3.3 and replaces TLSv1_server_method() calls with SSLv23_server_method() and TLSv1_client_method() with SSLv23_client_method().

https://github.com/OpenVPN/openvpn/commit/4b67f9849ab3efe89268e01afddc7795f38d0f64

For example, when OpenVPN tls-ciphers is configured with TLS v1.2 ciphers:

| tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Logs shows negotiating at TLS v1.0:

| Oct 26 21:58:47 ragnar ovpn-canonical[19470]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES128-SHA, 2048 bit RSA

When TLS v1.1 and/or v1.2 ciphers are only specified, sessions fail:

| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS object -> incoming plaintext read error
| Oct 26 21:58:29 ragnar ovpn-canonical[19259]: TLS Error: TLS handshake failed
| Oct 26 21:58:31 ragnar ovpn-canonical[19470]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=eca7ea6c 067ea30f

Could we please consider either packaging >= 2.3.3 or backporting this patch?

Thanks,

Haw

See original description
Haw Loeung (hloeung) on 2014-10-26
description: updated
no longer affects: openvpn (Ubuntu Vivid)
Haw Loeung (hloeung) on 2014-10-26
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openvpn (Ubuntu Trusty):
status: New → Confirmed
Changed in openvpn (Ubuntu Utopic):
status: New → Confirmed
Changed in openvpn (Ubuntu):
status: New → Confirmed
Simon Déziel (sdeziel) wrote :

The version that supports negociating TLS 1.1+ (2.3.4) landed in Debian Sid few days ago so it should be picked up by Ubuntu Vivid eventually.

Haw Loeung (hloeung) wrote :
tags: added: trusty utopic
Haw Loeung (hloeung) on 2014-10-28
tags: added: patch-accepted-upstream
Alberto Salvia Novella (es20490446e) on 2014-11-19
Changed in openvpn (Ubuntu):
importance: Undecided → Medium
Changed in openvpn (Ubuntu Trusty):
importance: Undecided → Medium
Changed in openvpn (Ubuntu Utopic):
importance: Undecided → Medium
Simon Déziel (sdeziel) wrote :

OpenVPN 2.3.7 made it into Wily

Changed in openvpn (Ubuntu):
status: Confirmed → Fix Released
Haw Loeung (hloeung) wrote :

Any chance we could backport support for TLS v1.1+ to Trusty LTS?

description: updated
Rolf Leggewie (r0lf) wrote :

utopic has seen the end of its life and is no longer receiving any updates. Marking the utopic task for this ticket as "Won't Fix".

Changed in openvpn (Ubuntu Utopic):
status: Confirmed → Won't Fix
Andreas Hasenack (ahasenack) wrote :

Vivid is end-of-life too.

Changed in openvpn (Ubuntu Vivid):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers