[Openvpn-users] OpenVPN 2.4.3 OpenSSL: error:0607A082

Discussion:

Philipp Helo Rehs

2017-06-29 07:55:39 UTC

Hello,

i am running Redhat 7 and use openvpn 2.4.3 from epel but i have got a
big problem since the update from 2.3.x

Jun 28 18:32:38 vpn openvpn-zuvsupport[23218]: TCP connection
established with [AF_INET]x.x.x.x:39682
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_VER=2.4.3
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_PLAT=linux
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_PROTO=2
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_NCP=2
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_LZ4=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_LZ4v2=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_LZO=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_COMP_STUB=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_COMP_STUBv2=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 peer info:
IV_TCPNL=1
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 TLS:
Username/Password authentication succeeded for username 'username' [CN SET]
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 Control
Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 [username]
Peer Connection Initiated with [AF_INET]x.x.x.x:39682
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Options error: Unrecognized option or missing or extra parameter(s) in
/etc/openvpn/ccd/username:1: reset-routes (2.4.3)
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
MULTI_sva: pool returned IPv4=10.8.25.3, IPv6=(Not enabled)
Jun 28 18:32:39 vpn openvpn[23218]: RTNETLINK answers: No such process
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Data Channel: using negotiated cipher 'AES-256-GCM'
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
OpenSSL: error:0607A082:digital envelope
routines:EVP_CIPHER_CTX_set_key_length:invalid key length
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
EVP set key size
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Exiting due to fatal error
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Closing TUN/TAP interface

The Configuration looks like this:

# Server Config
local y.y.y.y
port 1203
proto tcp
dev tun2570
topology subnet
server 10.8.25.0 255.255.255.0
mode server
tls-server
persist-key
persist-tun
#client-to-client # Wollen wir das ?
keepalive 10 120
management 127.0.0.1 5564

#Sicherheit
ca vpn_ca.crt
cert vpn.crt
key vpn.key
keysize 128
dh dh1024.pem
auth SHA256
cipher AES-128-CBC
script-security 3 # Leider benötigt damit man ein eigenes
Verifizierungs-Script nutzen kann

#Performance (Sicherlich noch zu verbessern)
#tun-mtu 1500
#fragment 1415
#mssfix 1410

#Authetifizierung
auth-user-pass-verify /etc/openvpn/scripts/verify_user.py via-env
username-as-common-name
client-config-dir /etc/openvpn/ccd
#duplicate-cn
client-cert-not-required
learn-address /etc/openvpn/scripts/ldapAuth.py
ifconfig-pool-persist /etc/openvpn/ipp-zuvsupport.txt

#Logging
status /etc/openvpn/status/zuvsupport.log 10
verb 2
syslog openvpn-zuvsupport
daemon
mute-replay-warnings

Do you have any idea to fix this?

Kind Regards

Philipp Rehs

University Düsseldorf

David Sommerseth

2017-06-29 11:30:01 UTC

Permalink

Post by Philipp Helo Rehs
Hello,
i am running Redhat 7 and use openvpn 2.4.3 from epel but i have got a
big problem since the update from 2.3.x

I hope you mean RHEL 7 (Red Hat Enterprise Linux 7) and not Red Hat
Linux 7 (released in September 2000).

Post by Philipp Helo Rehs
Jun 28 18:32:38 vpn openvpn-zuvsupport[23218]: TCP connection
established with [AF_INET]x.x.x.x:39682
IV_VER=2.4.3
IV_PLAT=linux
IV_PROTO=2
IV_NCP=2
IV_LZ4=1
IV_LZ4v2=1
IV_LZO=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_TCPNL=1
Username/Password authentication succeeded for username 'username' [CN SET]
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 Control
Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: x.x.x.x:39682 [username]
Peer Connection Initiated with [AF_INET]x.x.x.x:39682
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Options error: Unrecognized option or missing or extra parameter(s) in
/etc/openvpn/ccd/username:1: reset-routes (2.4.3)

You have something odd here. --reset-routes is not a known option. You
might mean --push-reset, --push-remove. Alternatively, the client side
can use --pull-filter.

OpenVPN v2.4 will choke and die on invalid options. Basically because
it doesn't understand what you wanted to do.

--
kind regards,

David Sommerseth

Philipp Helo Rehs

2017-06-29 12:35:52 UTC

Permalink

Hello,

yes I am running RHEL7.

I have fixed the issues about unknown options but still the connection
fails with an openssl error:

OpenSSL: error:0607A082:digital envelope
routines:EVP_CIPHER_CTX_set_key_length:invalid key length

Do you have any further idea?
I have downgraded to 2.3.14 and it works again.

Kind regards
Philipp Rehs

Post by David Sommerseth

Post by Philipp Helo Rehs
Hello,
i am running Redhat 7 and use openvpn 2.4.3 from epel but i have got a
big problem since the update from 2.3.x

I hope you mean RHEL 7 (Red Hat Enterprise Linux 7) and not Red Hat
Linux 7 (released in September 2000).

You have something odd here. --reset-routes is not a known option. You
might mean --push-reset, --push-remove. Alternatively, the client side
can use --pull-filter.
OpenVPN v2.4 will choke and die on invalid options. Basically because
it doesn't understand what you wanted to do.
--
kind regards,
David Sommerseth

debbie10t

2017-06-29 13:06:50 UTC

Permalink

Post by Philipp Helo Rehs
Hello,
i am running Redhat 7 and use openvpn 2.4.3 from epel but i have got a
big problem since the update from 2.3.x
Jun 28 18:32:38 vpn openvpn-zuvsupport[23218]: TCP connection
established with [AF_INET]x.x.x.x:39682
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Options error: Unrecognized option or missing or extra parameter(s) in
/etc/openvpn/ccd/username:1: reset-routes (2.4.3)

Infact, invalid options in CCD can be safely ignored, they do not effect
client connection.

Post by Philipp Helo Rehs
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
MULTI_sva: pool returned IPv4=10.8.25.3, IPv6=(Not enabled)
Jun 28 18:32:39 vpn openvpn[23218]: RTNETLINK answers: No such process

That is odd .. I don't know what causes that.

Post by Philipp Helo Rehs
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Data Channel: using negotiated cipher 'AES-256-GCM'
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
OpenSSL: error:0607A082:digital envelope
routines:EVP_CIPHER_CTX_set_key_length:invalid key length
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
EVP set key size
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Exiting due to fatal error
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682
Closing TUN/TAP interface

This is caused by --keysize 128 in your server config.

AES-256-* cannot use --keysize 128 (or at all because they are 256 only)

--keysize is likely to be deprecated quite soon.
See --show-ciphers for a list of ciphers that can/not use --keysize

Post by Philipp Helo Rehs
# Server Config
local y.y.y.y
port 1203
proto tcp
dev tun2570
topology subnet
server 10.8.25.0 255.255.255.0
mode server
tls-server
persist-key
persist-tun
#client-to-client # Wollen wir das ?
keepalive 10 120
management 127.0.0.1 5564
#Sicherheit
ca vpn_ca.crt
cert vpn.crt
key vpn.key
keysize 128

*** ^ This one ..

Post by Philipp Helo Rehs
dh dh1024.pem
auth SHA256
cipher AES-128-CBC
script-security 3 # Leider benötigt damit man ein eigenes
Verifizierungs-Script nutzen kann
#Performance (Sicherlich noch zu verbessern)
#tun-mtu 1500
#fragment 1415
#mssfix 1410
#Authetifizierung
auth-user-pass-verify /etc/openvpn/scripts/verify_user.py via-env
username-as-common-name
client-config-dir /etc/openvpn/ccd
#duplicate-cn
client-cert-not-required
learn-address /etc/openvpn/scripts/ldapAuth.py
ifconfig-pool-persist /etc/openvpn/ipp-zuvsupport.txt
#Logging
status /etc/openvpn/status/zuvsupport.log 10
verb 2
syslog openvpn-zuvsupport
daemon
mute-replay-warnings
Do you have any idea to fix this?
Kind Regards
Philipp Rehs
University Düsseldorf
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users

debbie10t

2017-06-29 13:09:49 UTC

Permalink

Post by Philipp Helo Rehs
Do you have any idea to fix this?

You probably want to use --ncp-disable for your particular setup
because *you* do not want to negotiate your ciphers.

Philipp Helo Rehs

2017-06-29 13:27:34 UTC

Permalink

Thank you,
this fixed the problem!

Post by debbie10t

Post by Philipp Helo Rehs
Do you have any idea to fix this?

You probably want to use --ncp-disable for your particular setup
because *you* do not want to negotiate your ciphers.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users