Logic Machine Forum
VPN - Ignoring TLS 1.3 only tls-ciphersuites 'TLS_AES_256_GCM_SHA384' setting. - Printable Version

+- Logic Machine Forum (https://forum.logicmachine.net)
+-- Forum: LogicMachine eco-system (https://forum.logicmachine.net/forumdisplay.php?fid=1)
+--- Forum: Gateway (https://forum.logicmachine.net/forumdisplay.php?fid=10)
+--- Thread: VPN - Ignoring TLS 1.3 only tls-ciphersuites 'TLS_AES_256_GCM_SHA384' setting. (/showthread.php?tid=5658)



VPN - Ignoring TLS 1.3 only tls-ciphersuites 'TLS_AES_256_GCM_SHA384' setting. - misterb - 07.10.2024

Hi everybody.

I am using a LM5p and our VPN-client configuration has been changed. Now the client doesn't connect anymore.
The new configuration works fine with other routers like Lucom LR77 or Teltonika RUT240.
To me it looks like my LM (or the library) isn't able to handle the new TLS configuration.
Anyboy a hint for me?

Log:
Mon Oct  7 08:23:40 2024 OpenVPN 2.4.8 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD]
Mon Oct  7 08:23:40 2024 library versions: OpenSSL 1.0.2s  28 May 2019, LZO 2.10
Mon Oct  7 08:23:40 2024 Not compiled with OpenSSL 1.1.1 or higher, or without TLS 1.3 support. Ignoring TLS 1.3 only tls-ciphersuites 'TLS_AES_256_GCM_SHA384' setting.
Mon Oct  7 08:23:40 2024 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Oct  7 08:23:40 2024 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Oct  7 08:23:40 2024 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Oct  7 08:23:40 2024 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Oct  7 08:23:40 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]172.65.195.23:62457
Mon Oct  7 08:23:40 2024 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Oct  7 08:23:40 2024 UDP link local: (not bound)
Mon Oct  7 08:23:40 2024 UDP link remote: [AF_INET]172.65.195.23:62457
Mon Oct  7 08:23:40 2024 TLS: Initial packet from [AF_INET]172.65.195.23:62457, sid=672c5d23 df7408bd
Mon Oct  7 08:24:40 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Oct  7 08:24:40 2024 TLS Error: TLS handshake failed
Mon Oct  7 08:24:40 2024 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct  7 08:24:40 2024 Restart pause, 10 second(s)
Mon Oct  7 08:24:50 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]172.65.195.23:62457
Mon Oct  7 08:24:50 2024 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Oct  7 08:24:50 2024 UDP link local: (not bound)
Mon Oct  7 08:24:50 2024 UDP link remote: [AF_INET]172.65.195.23:62457
Mon Oct  7 08:24:50 2024 TLS: Initial packet from [AF_INET]172.65.195.23:62457, sid=18d0a5e2 abb60f7b
Mon Oct  7 08:25:50 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Oct  7 08:25:50 2024 TLS Error: TLS handshake failed
Mon Oct  7 08:25:50 2024 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct  7 08:25:50 2024 Restart pause, 10 second(s)
Mon Oct  7 08:26:00 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]172.65.195.23:62457
Mon Oct  7 08:26:00 2024 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Oct  7 08:26:00 2024 UDP link local: (not bound)
Mon Oct  7 08:26:00 2024 UDP link remote: [AF_INET]172.65.195.23:62457
Mon Oct  7 08:26:00 2024 TLS: Initial packet from [AF_INET]172.65.195.23:62457, sid=7aedbaae 6badc349

VPN-config:
client
dev tun
proto udp
remote vpn-2024.xxxxx.com 62445
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verb 3
cipher AES-256-GCM
auth SHA512
tls-ciphersuites TLS_AES_256_GCM_SHA384
auth-retry nointeract

<ca>
-----BEGIN CERTIFICATE-----
XXXXX
-----END CERTIFICATE-----
</ca>

<cert>
XXXXX
</cert>

<key>
XXXXX
</key>

<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXXX
-----END OpenVPN Static key V1-----
</tls-crypt>


RE: VPN - Ignoring TLS 1.3 only tls-ciphersuites 'TLS_AES_256_GCM_SHA384' setting. - admin - 07.10.2024

Install the latest firmware and try again.