Ping a Specific Port

Question

markhorrocks

Asked: 2017-07-07 14:44:32 +0800 CST2017-07-07 14:44:32 +0800 CST 2017-07-07 14:44:32 +0800 CST

Tunnelblick TLS error: The server has no TLS ciphersuites in common with the client

772

I'm trying to set up an openVPN server and connect to it with Tunnelblick. My OpenVPN version is 2.4.3. and I'm using EastRSA-3.0.1. My certificates are using elliptical curve secp521v1.

openvpn log

Thu Jul 6 14:56:25 2017 999.222.18.250:37144 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive. Thu Jul 6 14:56:25 2017 999.222.18.250:37144 OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Thu Jul 6 14:56:25 2017 999.222.18.250:37144 TLS_ERROR: BIO read tls_read_plaintext error Thu Jul 6 14:56:25 2017 999.222.18.250:37144 TLS Error: TLS object -> incoming plaintext read error Thu Jul 6 14:56:25 2017 999.222.18.250:37144 TLS Error: TLS handshake f

Here is my server.conf

dev tun 
proto udp
port 1194 
user nobody
group nogroup
ca ca.crt 
cert server.crt # SWAP WITH YOUR CRT NAME
key server.key # SWAP WITH YOUR KEY NAME
dh none
server 192.168.8.0 255.255.255.0 

ifconfig-pool-persist ipp.txt 

# ncp-disable
cipher AES-256-CBC
auth SHA512

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

tls-version-min 1.2
push "dhcp-option DNS 8.8.8.8" 
push "dhcp-option DNS 8.8.4.4"
compress lz4-v2 
push "compress lz4-v2"
keepalive 10 120
persist-key 
persist-tun 
tls-server
tls-auth /usr/local/share/ca-certificates/ta.key 0
key-direction 0
status /var/log/openvpn2-status.log
log /var/log/openvpn2.log 
verb 3
daemon

client.ovpn

client
proto udp
dev tun
remote vpn.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
tls-version-min 1.2
tls-client
ping 15
ping-restart 120
route 10.0.0.0 255.0.0.0
route-nopull
key-direction 1
daemon
user nobody
group nogroup
<ca>
[Security-related line(s) omitted]
</ca>
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
<tls-auth>
[Security-related line(s) omitted]
</tls-auth>

1 Answers

Voted

markhorrocks · Answer 1 · 2017-07-11T13:06:10+08:00

markhorrocks

2017-07-11T13:06:10+08:002017-07-11T13:06:10+08:00

The solution was that I was using the wrong tls-cipher for elliptical curve certificates. The correct tls-cipher is

tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

1

Tunnelblick TLS error: The server has no TLS ciphersuites in common with the client

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?