OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol [closed]

问题

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed last year.

I'm trying to connect to our institute VPN via openvpn. When openvpn runs, I get the following error from openssl

Tue Oct 30 11:34:16 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
... several more lines
Tue Oct 30 11:34:17 2018 OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Tue Oct 30 11:34:17 2018 TLS_ERROR: BIO read tls_read_plaintext error
Tue Oct 30 11:34:17 2018 TLS Error: TLS object -> incoming plaintext read error
Tue Oct 30 11:34:17 2018 TLS Error: TLS handshake failed
Tue Oct 30 11:34:17 2018 SIGUSR1[soft,tls-error] received, process restarting
Tue Oct 30 11:34:17 2018 Restart pause, 5 second(s)

This error does not come up when using OpenSSL 1.1.0h.

What has changed in between these versions that this error comes up?

My system is Debian Sid. Since I regularly use VPN, it is extremely irritating when I have to manually downgrade OpenSSL to 1.1.0h after every upgrade, and that too, just so I can use openVPN to connect.

回答1:

You don't have to downgrade OpenSSL.

With the introduction of openssl version 1.1.1 in Debian the defaults are set to more secure values by default. This is done in the /etc/ssl/openssl.cnf config file. At the end of the file there is:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

Debian now require as minimum the TLS 1.2 version instead TLS 1.0. If the other side does not support TLS 1.2 or higher you will get some connection errors.

I recommend upgrade openvpn on server to newer version which support TLS 1.2..

Second options (not much secure) is modify MinProcotol to TLSv1 or TLSv1.1.

回答2:

You don't have to downgrade OpenSSL or change the system default.

Instead of modifying /etc/ssl/openssl.cnf you can just configure the openvpn client to configure libssl with a different minimum protocol version. The option is --tls-version-min or tls-version-min in a config file.

It's still preferable to upgrade the server but this is a better way to deal with a temporary version skew.

回答3:

You can even directly override the system default e.g. by using:

tls-cipher "DEFAULT:@SECLEVEL=1"

to have a basic configuration that matches normal OpenSSL defaults. Note that OpenVPN normally sets a more restricted cipher list (see man page).

来源：https://stackoverflow.com/questions/53058362/openssl-v1-1-1-ssl-choose-client-version-unsupported-protocol