OpenSSL v1.1.1 ssl |
您所在的位置:网站首页 › ssl error unsupported version › OpenSSL v1.1.1 ssl |
|
百度翻译此文
有道翻译此文
问题描述
I'm trying to connect to our institute VPN via openvpn. When openvpn runs, I get the following error from openssl Tue Oct 30 11:34:16 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. ... several more lines Tue Oct 30 11:34:17 2018 OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol Tue Oct 30 11:34:17 2018 TLS_ERROR: BIO read tls_read_plaintext error Tue Oct 30 11:34:17 2018 TLS Error: TLS object -> incoming plaintext read error Tue Oct 30 11:34:17 2018 TLS Error: TLS handshake failed Tue Oct 30 11:34:17 2018 SIGUSR1[soft,tls-error] received, process restarting Tue Oct 30 11:34:17 2018 Restart pause, 5 second(s)This error does not come up when using OpenSSL 1.1.0h. What has changed in between these versions that this error comes up? My system is Debian Sid. Since I regularly use VPN, it is extremely irritating when I have to manually downgrade OpenSSL to 1.1.0h after every upgrade, and that too, just so I can use openVPN to connect. 推荐答案You don't have to downgrade OpenSSL. With the introduction of openssl version 1.1.1 in Debian the defaults are set to more secure values by default. This is done in the /etc/ssl/openssl.cnf config file. At the end of the file there is: [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2Debian now require as minimum the TLS 1.2 version instead TLS 1.0. If the other side does not support TLS 1.2 or higher you will get some connection errors. I recommend upgrade openvpn on server to newer version which support TLS 1.2.. Second options (not much secure) is modify MinProcotol to TLSv1 or TLSv1.1. |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |