Discussion:
OpenVPN 2.4.3 OpenSSL: error:0607A082
(too old to reply)
Philipp Helo Rehs
2017-06-29 07:55:39 UTC
Permalink
Raw Message
Hello,

i am running Redhat 7 and use openvpn 2.4.3 from epel but i have got a
big problem since the update from 2.3.x

Jun 28 18:32:38 vpn openvpn-zuvsupport[23218]: TCP connection
established with [AF_INET]x.x.x.x:39682
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_VER=2.4.3
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_PLAT=linux
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_PROTO=2
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_NCP=2
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_LZ4=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_LZ4v2=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_LZO=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_COMP_STUB=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_COMP_STUBv2=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_TCPNL=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 TLS:
Username/Password authentication succeeded for username 'username' [CN SET]
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 Control
Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 [username]
Peer Connection Initiated with [AF_INET]x.x.x.x:39682
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Options error: Unrecognized option or missing or extra parameter(s) in
/etc/openvpn/ccd/username:1: reset-routes (2.4.3)
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
MULTI_sva: pool returned IPv4=10.8.25.3, IPv6=(Not enabled)
Jun 28 18:32:39 vpn openvpn[23218]: RTNETLINK answers: No such process
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Data Channel: using negotiated cipher 'AES-256-GCM'
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
OpenSSL: error:0607A082:digital envelope
routines:EVP_CIPHER_CTX_set_key_length:invalid key length
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
EVP set key size
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Exiting due to fatal error
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Closing TUN/TAP interface

The Configuration looks like this:

# Server Config
local y.y.y.y
port 1203
proto tcp
dev tun2570
topology subnet
server 10.8.25.0 255.255.255.0
mode server
tls-server
persist-key
persist-tun
#client-to-client # Wollen wir das ?
keepalive 10 120
management 127.0.0.1 5564



#Sicherheit
ca vpn_ca.crt
cert vpn.crt
key vpn.key
keysize 128
dh dh1024.pem
auth SHA256
cipher AES-128-CBC
script-security 3 # Leider benötigt damit man ein eigenes
Verifizierungs-Script nutzen kann

#Performance (Sicherlich noch zu verbessern)
#tun-mtu 1500
#fragment 1415
#mssfix 1410

#Authetifizierung
auth-user-pass-verify /etc/openvpn/scripts/verify_user.py via-env
username-as-common-name
client-config-dir /etc/openvpn/ccd
#duplicate-cn
client-cert-not-required
learn-address /etc/openvpn/scripts/ldapAuth.py
ifconfig-pool-persist /etc/openvpn/ipp-zuvsupport.txt

#Logging
status /etc/openvpn/status/zuvsupport.log 10
verb 2
syslog openvpn-zuvsupport
daemon
mute-replay-warnings


Do you have any idea to fix this?

Kind Regards

Philipp Rehs

University Düsseldorf
David Sommerseth
2017-06-29 11:30:01 UTC
Permalink
Raw Message
Post by Philipp Helo Rehs
Hello,
i am running Redhat 7 and use openvpn 2.4.3 from epel but i have got a
big problem since the update from 2.3.x
I hope you mean RHEL 7 (Red Hat Enterprise Linux 7) and not Red Hat
Linux 7 (released in September 2000).
Post by Philipp Helo Rehs
Jun 28 18:32:38 vpn openvpn-zuvsupport[23218]: TCP connection
established with [AF_INET]x.x.x.x:39682
IV_VER=2.4.3
IV_PLAT=linux
IV_PROTO=2
IV_NCP=2
IV_LZ4=1
IV_LZ4v2=1
IV_LZO=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_TCPNL=1
Username/Password authentication succeeded for username 'username' [CN SET]
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 Control
Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 [username]
Peer Connection Initiated with [AF_INET]x.x.x.x:39682
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Options error: Unrecognized option or missing or extra parameter(s) in
/etc/openvpn/ccd/username:1: reset-routes (2.4.3)
You have something odd here. --reset-routes is not a known option. You
might mean --push-reset, --push-remove. Alternatively, the client side
can use --pull-filter.

OpenVPN v2.4 will choke and die on invalid options. Basically because
it doesn't understand what you wanted to do.


--
kind regards,

David Sommerseth
Philipp Helo Rehs
2017-06-29 12:35:52 UTC
Permalink
Raw Message
Hello,

yes I am running RHEL7.

I have fixed the issues about unknown options but still the connection
fails with an openssl error:

OpenSSL: error:0607A082:digital envelope
routines:EVP_CIPHER_CTX_set_key_length:invalid key length

Do you have any further idea?
I have downgraded to 2.3.14 and it works again.

Kind regards
Philipp Rehs
Post by David Sommerseth
Post by Philipp Helo Rehs
Hello,
i am running Redhat 7 and use openvpn 2.4.3 from epel but i have got a
big problem since the update from 2.3.x
I hope you mean RHEL 7 (Red Hat Enterprise Linux 7) and not Red Hat
Linux 7 (released in September 2000).
Post by Philipp Helo Rehs
Jun 28 18:32:38 vpn openvpn-zuvsupport[23218]: TCP connection
established with [AF_INET]x.x.x.x:39682
IV_VER=2.4.3
IV_PLAT=linux
IV_PROTO=2
IV_NCP=2
IV_LZ4=1
IV_LZ4v2=1
IV_LZO=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_TCPNL=1
Username/Password authentication succeeded for username 'username' [CN SET]
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 Control
Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 [username]
Peer Connection Initiated with [AF_INET]x.x.x.x:39682
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Options error: Unrecognized option or missing or extra parameter(s) in
/etc/openvpn/ccd/username:1: reset-routes (2.4.3)
You have something odd here. --reset-routes is not a known option. You
might mean --push-reset, --push-remove. Alternatively, the client side
can use --pull-filter.
OpenVPN v2.4 will choke and die on invalid options. Basically because
it doesn't understand what you wanted to do.
--
kind regards,
David Sommerseth
debbie10t
2017-06-29 13:06:50 UTC
Permalink
Raw Message
Post by Philipp Helo Rehs
Hello,
i am running Redhat 7 and use openvpn 2.4.3 from epel but i have got a
big problem since the update from 2.3.x
Jun 28 18:32:38 vpn openvpn-zuvsupport[23218]: TCP connection
established with [AF_INET]x.x.x.x:39682
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Options error: Unrecognized option or missing or extra parameter(s) in
/etc/openvpn/ccd/username:1: reset-routes (2.4.3)
Infact, invalid options in CCD can be safely ignored, they do not effect
client connection.
Post by Philipp Helo Rehs
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
MULTI_sva: pool returned IPv4=10.8.25.3, IPv6=(Not enabled)
Jun 28 18:32:39 vpn openvpn[23218]: RTNETLINK answers: No such process
That is odd .. I don't know what causes that.
Post by Philipp Helo Rehs
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Data Channel: using negotiated cipher 'AES-256-GCM'
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
OpenSSL: error:0607A082:digital envelope
routines:EVP_CIPHER_CTX_set_key_length:invalid key length
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
EVP set key size
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Exiting due to fatal error
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Closing TUN/TAP interface
This is caused by --keysize 128 in your server config.

AES-256-* cannot use --keysize 128 (or at all because they are 256 only)

--keysize is likely to be deprecated quite soon.
See --show-ciphers for a list of ciphers that can/not use --keysize
Post by Philipp Helo Rehs
# Server Config
local y.y.y.y
port 1203
proto tcp
dev tun2570
topology subnet
server 10.8.25.0 255.255.255.0
mode server
tls-server
persist-key
persist-tun
#client-to-client # Wollen wir das ?
keepalive 10 120
management 127.0.0.1 5564
#Sicherheit
ca vpn_ca.crt
cert vpn.crt
key vpn.key
keysize 128
*** ^ This one ..
Post by Philipp Helo Rehs
dh dh1024.pem
auth SHA256
cipher AES-128-CBC
script-security 3 # Leider benötigt damit man ein eigenes
Verifizierungs-Script nutzen kann
#Performance (Sicherlich noch zu verbessern)
#tun-mtu 1500
#fragment 1415
#mssfix 1410
#Authetifizierung
auth-user-pass-verify /etc/openvpn/scripts/verify_user.py via-env
username-as-common-name
client-config-dir /etc/openvpn/ccd
#duplicate-cn
client-cert-not-required
learn-address /etc/openvpn/scripts/ldapAuth.py
ifconfig-pool-persist /etc/openvpn/ipp-zuvsupport.txt
#Logging
status /etc/openvpn/status/zuvsupport.log 10
verb 2
syslog openvpn-zuvsupport
daemon
mute-replay-warnings
Do you have any idea to fix this?
Kind Regards
Philipp Rehs
University Düsseldorf
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
debbie10t
2017-06-29 13:09:49 UTC
Permalink
Raw Message
Post by Philipp Helo Rehs
Do you have any idea to fix this?
You probably want to use --ncp-disable for your particular setup
because *you* do not want to negotiate your ciphers.
Philipp Helo Rehs
2017-06-29 13:27:34 UTC
Permalink
Raw Message
Thank you,
this fixed the problem!
Post by debbie10t
Post by Philipp Helo Rehs
Do you have any idea to fix this?
You probably want to use --ncp-disable for your particular setup
because *you* do not want to negotiate your ciphers.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Loading...