How do I manage the error "OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol"? [closed]

Asked 30/10, 2018 at 6:12 Answered 5/11, 2018 at 11:35

While trying to connect to a VPN via openvpn I get the following error from openssl

Tue Oct 30 11:34:16 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
... several more lines
Tue Oct 30 11:34:17 2018 OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Tue Oct 30 11:34:17 2018 TLS_ERROR: BIO read tls_read_plaintext error
Tue Oct 30 11:34:17 2018 TLS Error: TLS object -> incoming plaintext read error
Tue Oct 30 11:34:17 2018 TLS Error: TLS handshake failed
Tue Oct 30 11:34:17 2018 SIGUSR1[soft,tls-error] received, process restarting
Tue Oct 30 11:34:17 2018 Restart pause, 5 second(s)

This error does not arise when using OpenSSL 1.1.0h.

Why does this error arise after upgrading the openssl libraries?
How do I manage around this recurring problem?
Is there a way to make this work by giving some flags to openvpn CLI instead of downgrading openssl?

OS: Debian Sid

Ias answered 30/10, 2018 at 6:12 Comment(0)

You don't have to downgrade OpenSSL.

With the introduction of openssl version 1.1.1 in Debian the defaults are set to more secure values by default. This is done in the /etc/ssl/openssl.cnf config file. At the end of the file there is:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

Debian now require as minimum the TLS 1.2 version instead TLS 1.0. If the other side does not support TLS 1.2 or higher you will get some connection errors.

I recommend upgrade openvpn on server to newer version which support TLS 1.2..

Second options (not much secure) is modify MinProcotol to TLSv1 or TLSv1.1.

Mulligrubs answered 30/10, 2018 at 13:42 Comment(2)

Wonderful. I had to use TLSv1. Its very sad to say that our institute server runs top of the line hardware with terribly shamefully outdated software. :( Their setup is such that they are unable to update to openvpn. I'll try talking to them once more, but chances are very less. – Ias 31/10, 2018 at 4:42

If anybody gets this error while using nodemailer, try using node v10 only without changing any ssl or tls configuration – Refractory 5/11, 2019 at 22:0

You don't have to downgrade OpenSSL or change the system default.

Instead of modifying /etc/ssl/openssl.cnf you can just configure the openvpn client to configure libssl with a different minimum protocol version. The option is --tls-version-min or tls-version-min in a config file.

It's still preferable to upgrade the server but this is a better way to deal with a temporary version skew.

Teresetereshkova answered 2/11, 2018 at 9:46 Comment(3)

this should be the accepted answer, it is far less invasive than the solution in the accepted one. – Cropdusting 1/3, 2019 at 13:39

I have experienced that tls-version-min in a config file is simply ignored by openvpn 1.1.1d. – Carmeliacarmelina 23/3, 2020 at 13:4

@JensMunk same problem. More info about it: bugs.debian.org/cgi-bin/bugreport.cgi?bug=933177 – Tinware 2/4, 2020 at 8:35

You can even directly override the system default e.g. by using:

tls-cipher "DEFAULT:@SECLEVEL=1"

to have a basic configuration that matches normal OpenSSL defaults. Note that OpenVPN normally sets a more restricted cipher list (see man page).

Sombrous answered 5/11, 2018 at 11:35 Comment(0)

Recommended topics

Hot tags