Add tls-version-min option
I am trying to connect to a Stormshield VPN from Debian Buster
- OpenVPN 2.4.7-1
- OpenSSL 1.1.1c-1
- NM-OpenVPN 1.8.10-1
After importing the provided OpenVPN configuration:
client
dev tun
proto tcp
remote X.X.X.X 443
cipher AES-128-CBC
tls-cipher DHE-RSA-AES256-SHA
auth SHA1
nobind
resolv-retry infinite
persist-key
persist-tun
ca "CA.cert.pem"
cert "openvpnclient.cert.pem"
key "openvpnclient.pkey.pem"
comp-lzo
verb 3
auth-user-pass creds
auth-retry interact
The connection fails with the following error:
nm-openvpn[23338]: TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
nm-openvpn[23338]: OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
nm-openvpn[23338]: TLS_ERROR: BIO read tls_read_plaintext error
nm-openvpn[23338]: TLS Error: TLS object -> incoming plaintext read error
nm-openvpn[23338]: TLS Error: TLS handshake failed
nm-openvpn[23338]: Fatal TLS error (check_tls_errors_co), restarting
The connection completes successfully if I add tls-version-min 1.0
to the config file and run the openvpn
command manually.
The remote server only supports TLS1.2:
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)