Fix TLS handshake error #35
Conversation
When connecting with Tunnelblick client I received following error: TLS_ERROR: BIO read tls_read_plaintext error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed To fix the problem the same tls-version-min directive used in server configuration has to be added to the client config.
|
hmm, i had this in there and suspect when i reworked the OS detection it got lost somewhere. the installer added it to the file i believe. Let me figure out what happened in the installer before i just add it to the default.txt |
|
yea i never had this in the default.txt. my tunnelblick didn't complain about it but i merged. we'll see if other clients complain. |
|
@bole5 what version and platform tunnelblick do you use? As I stated before my tunnelblick never complained and I"m using 3.6.3 on macosx. And my android openvpn client is telling me it is ignoring tls-version-min in client config as its unused. I don't think it is a valid directive client side, server only. |
|
I am running Tunnelblick 3.5.3 (build 4270.4371) running openvpn 2.3.6. This directive only works with newer clients. For example, my test setup using OpenVZ and debian7 is running openvpn 2.2.1 and there I had to remove both: |
|
your tunnelblick is old. 3.6.3 is newer than 3.5.3. The android client i'm using is written by arne schwab who directly contributes to openvpn, it is the latest version and doesn't recognize tls-version-min as a client directive. I know older servers don't recognize it but I didn't care about that since pivpn is the server and I know what version it brings (which support tls-version-min). So your test setup, running a server version 2.2.1 is an invalid test for anything pivpn. now you didn't specify, but did you use this script to install on that openvz debian7 box? if so, then still my fix would be to install a newer openvpn like i do on ubuntu rather than from the old debian repos. what i might need to do is modify that for debian as well. but this is why i state in the readme, etc that it's supported on raspbian jessie and ubuntu 14.04 since there could be all kinds of little things for other releases. so if all this is the case, (you used script to install on debian7, please send me the output of you did get a popup during install stating your OS was maybe supported, correct? |
|
Maybe I was unclear in my reply, I installed pivpn server on my new Raspberry Pi 3 running jessie as in the instructions. The problem is due to using different openvpn clients. My TunnelBlick is not able to connect without the tls-auth directive in the client config file. The reference to the OpenVZ and debian7 was just for your information that the client directive Since pivpn is configuring server to run with tls-auth, for a good reason as this is the safest option, clients that don't support this option will not be able to connect. You might want to add that information to the readme and display a warning when generating new client configs. Alternatively you could ask users whether or not they want to use tis-auth during the setup process and create configuration based on user reply. |
|
clients typically don't stay old though. why didn't you upgrade your tunnelblick? |
When connecting with Tunnelblick client I received following error:
To fix the problem the same tls-version-min directive used in server configuration has to be added to the client config.