OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol
I'm trying to connect to our institute VPN via openvpn. When openvpn runs, I get the following error from openssl
Tue Oct 30 11:34:16 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
... several more lines
Tue Oct 30 11:34:17 2018 OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Tue Oct 30 11:34:17 2018 TLS_ERROR: BIO read tls_read_plaintext error
Tue Oct 30 11:34:17 2018 TLS Error: TLS object -> incoming plaintext read error
Tue Oct 30 11:34:17 2018 TLS Error: TLS handshake failed
Tue Oct 30 11:34:17 2018 SIGUSR1[soft,tls-error] received, process restarting
Tue Oct 30 11:34:17 2018 Restart pause, 5 second(s)
This error does not come up when using OpenSSL 1.1.0h.
What has changed in between these versions that this error comes up?
My system is Debian Sid. Since I regularly use VPN, it is extremely irritating when I have to manually downgrade OpenSSL to 1.1.0h after every upgrade, and that too, just so I can use openVPN to connect.
Answer
You don't have to downgrade OpenSSL.
With the introduction of openssl version 1.1.1 in Debian the defaults are set to more secure values by default. This is done in the /etc/ssl/openssl.cnf config file. At the end of the file there is:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
Debian now require as minimum the TLS 1.2 version instead TLS 1.0. If the other side does not support TLS 1.2 or higher you will get some connection errors.
I recommend upgrade openvpn on server to newer version which support TLS 1.2..
Second options (not much secure) is modify MinProcotol to TLSv1 or TLSv1.1.