Menu
▾
▴
Re: [Openvpn-users] "TLS_ERROR: BIO read tls_read_plaintext error ..." (George Ross)
|
From: Timothe L. <li...@ac...> - 2014-04-22 10:39:40
|
On 22-Apr-14 05:26, ope...@li... wrote: > Message: 7 > Date: Tue, 22 Apr 2014 09:54:48 +0100 > From: George Ross<gd...@in...> > Subject: [Openvpn-users] "TLS_ERROR: BIO read tls_read_plaintext error > ..." > To:ope...@li... > Message-ID:<201...@ed...> > Content-Type: text/plain; charset="us-ascii" > > Wondering if anyone has any suggestions here. Trying 2.3.3 on client and > server, my tunnel fails to come up. Here's what's logged on the client end: > > 2014-04-22T07:14:14.304625+01:00 eden openvpn.TLS[8239]: Control Channel Authentication: using '/etc/openvpn/tls.auth' as a free-form passphrase file > 2014-04-22T07:14:14.305757+01:00 eden openvpn.TLS[8239]: UDPv4 link local (bound): [undef] > 2014-04-22T07:14:14.305788+01:00 eden openvpn.TLS[8239]: UDPv4 link remote: [AF_INET]XX.XX.XX.XX:YYY > 2014-04-22T07:14:15.199389+01:00 eden openvpn.TLS[8239]: TLS_ERROR: BIO read tls_read_plaintext error: error:04075070:rsa routines:RSA_sign:digest too big for rsa key: error:14099006:SSL routines:SSL3_SEND_CLIENT_VERIFY:EVP lib > 2014-04-22T07:14:15.199439+01:00 eden openvpn.TLS[8239]: TLS Error: TLS object -> incoming plaintext read error > 2014-04-22T07:14:15.199452+01:00 eden openvpn.TLS[8239]: TLS Error: TLS handshake failed > 2014-04-22T07:14:15.200225+01:00 eden openvpn.TLS[8239]: SIGUSR1[soft,tls-error] received, process restarting > > (repeated until I kill the daemon). The server end just logs "TLS Error: > TLS handshake failed". > > The same 2.3.3 client connects fine to a 2.3.2 server running basically the > same configuration. I haven't had a chance to test a 2.3.2 client against > that 2.3.3 server yet. > > Linux kernel 2.6.32-431.5.1.el6.x86_64 at both ends, in case it matters. > > Suggestions welcome! > -- > George D M Ross MSc PhD CEng MBCS CITP, University of Edinburgh, > School of Informatics, 10 Crichton Street, Edinburgh, Scotland, EH8 9AB > Mail:gd...@in... Voice: 0131 650 5147 Fax: 0131 650 6899 > PGP: 1024D/AD758CC5 B91E D430 1E0D 5883 EF6A 426C B676 5C2B AD75 8CC5 > > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. This looks superficially like the problem that I reported in https://community.openvpn.net/openvpn/ticket/385#comment:5 If you are able to rebuild from source, comment 5 has a 4 line patch that works for me. It's not hard - the usual fetch source, expand, (patch), ./configure, make, make install. You need openssl-devel, lzo-devel & pam-devel. Instructions here: http://openvpn.net/index.php/open-source/documentation/howto.html It would be interesting to know: Does it work for you? Are you running a pre-built (RPM, etc) version of the server - if so, which one? What Linux distribution are you running? What version of OpenSSL are you running? (The distributions have addressed the Heartbleed issue differently - some have applied a local patch, others a full upgrade to the latest OpenSSL.) Or are you using PolarSSL? Root cause is not understood - my patch is more along the lines of a work-around than a fix. At the moment, the development team is blaming my issue on ARM - if you have the same issue, it would be the first report on x86-64. I'm not part of the development team. Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. This communication may not represent my employer's views, if any, on the matters discussed. |
