I have a PFSense Router with a OpenVPN Server running. It was working perfectly fine. Today I tried to connect and got the following error in my OpenVPN Client:
Mon Nov 11 21:18:02 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Nov 11 21:18:02 2019 TLS Error: TLS handshake failed
I sniffed the tcppackets incoming on the PFSense OpenVPN Server. The PFSense does not seem to answer the packets coming from my client, the packets are all the same like this (captured at the interface of the PFSense where OpenVPN Connections arrive):
1 0.000000 78.43.*.* 192.168.1.156 OpenVPN 84 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2
On the PFSense the OpenVPN Server is bound to the right interface. Everything else seems normal. My Client is Pingable from the OpenVPN Server. Ports on both sides are filtered|open for OpenVPN. Can someone help?
Did you configure the Authentication TLS key in the OpenVPN ? (on both server/client or nothing)
Related
we have one client and server our application running as bridge between client and server.
our module responsible for forwarding the traffic between client and server.
During SSL handshake i am trying to interrupt the client hello and respond to the client with serverhello.
we are able to interrupt and send the serverhello to the client but SSL handshake is failed.
captured the packets during SSL handshake.
i could see Server hello reached to the client interface but Client machine retransmitting the clienthello again and again could any one help on this what went wrong why the client not processing serverhello.
I'm using 'OpenConnect version v8.05' on Red Hat Enterprise Linux 8.1 (Ootpa) in order to connect to a server.
The server only accepts SSLv3, TLSv1.0 ciphers and I don't have access to the server for security update/upgrade.
When I try to connect:
[root#RHEL8 ~]# openconnect --authenticate XXX.XXX.XXX.XXX:443 -status -msg -debug
MTU 0 too small
POST https://XXX.XXX.XXX.XXX/
Connected to XXX.XXX.XXX.XXX:443
SSL negotiation with XXX.XXX.XXX.XXX
SSL connection failure: A packet with illegal or unsupported version was received.
Failed to open HTTPS connection to XXX.XXX.XXX.XXX
Failed to obtain WebVPN cookie
I have changed OpenSSL Min SSL Protocol by changing:
/etc/crypto-policies/back-ends/opensslcnf.config
MinProtocol = TLSv1.0
Now I'm able to handshake the server using 'openssl s_client -connect'. But the openconnect client is not yet able to connect to the server.
How can I force it to use TLS 1.0?
I have filed an issue on their community issue tracker and got useful info.
It is possible to allow this insecure connection with any version newer than 8.05(currently not available on rpm repositories) as mentioned by the maintainer:
$ ./openconnect --gnutls-priority "NONE:+VERS-SSL3.0:+VERS-TLS1.0:%NO_EXTENSIONS:%SSL3_RECORD_VERSION:+3DES-CBC:+ARCFOUR-128:+MD5:+SHA1:+COMP-ALL:+KX-ALL" ***
anyone got successful with ejabberd + ssl termination with haproxy 1.7?
frontend ejabberd
bind *:4000 ssl crt /etc/haproxy/certs/my-domain.com.pem
mode tcp
timeout client 3h
option tcplog
option clitcpka
default_backend ejabberd
backend ejabberd
mode tcp
timeout server 60m
option redispatch
option srvtcpka
option independent-streams
balance leastconn
default-server inter 5s rise 3 fall 3 on-marked-down shutdown-sessions
server ejabberd localhost:5222 check slowstart 120s
it works fine without ssl crt. My smack client gives me a No response received within reply timeout. Timeout was 5000ms (~5s). While waiting for establishing TLS.
I also tried with or without ttls on ejabberd conf
I was able to have the exact configuration working, you need to:
Disable tls in ejabberd since HAProxy is doing the ssl offloading and ejabberd is hosted in the same machine:
Comment the certfile line
Comment the starttls line
Correctly configure your client, I have used pidgin, but you should be able to do the same with smack:
Configure correctly address and port (4000 here)
Ensure that you use "old style TLS" and not STARTTLS, the latter won't work with HAProxy.
Otherwise, if you want clients to use STARTTLS configuration, then you have to configure HAProxy to proxy XMPP encrypted traffic (removing "ssl crt .." )
I've 2 windows server 2012 R2 with all updates.
this server are behind a firewall with IPSEC connection. So we need to connect to a remote API service and we have some strange situation.
1st server connection ok.
via command line with curl command I star connection and with shark I can see the Hello message with protocol TLSv1.2 and connection works fine.
2nd server connection ko.
via command line with curl command I star connection and with shark I can see the Hello message with protocol SSL.
I try to use .net app and the situation still be the same, 1st ok, 2nd KO. if I try to connect to paypal in TLSv1.2 it work fine. I try with other Win Server 2012/2016 but not works.
I am using Solace VMR for MQTT Publish/subscribe service . I am using paho library for publishing and subscribing . I need SSL connection with the Solace for the purpose. I configured Server and CA Certificate . Using SolAdmin , I can see that SSL service is enabled on port 8883 . So when I am trying to connect to Solace MQTT for publishing the data , it is throwing me a error :
2016-09-09T16:54:50+0000 solace event: SYSTEM: SYSTEM_SSL_CONNECTION_REJECTED: - - SSL Connection rejected: reason (unknown protocol); connection to XXX.XX.XX.XXX:8883 from XXX.XX.XX.XXX:6217
6.
I am using the URL as ssl://XXX.XX.XX.XXX:8883. Please help where I am doing wrong ?
This error is seen when a client uses TLS 1.0 to establish an SSL connection with the Solace VMR. TLS 1.0 is not supported on the Solace VMR as it is deemed to be unsecure.
The connection should be successful when using TLS 1.1 or TLS 1.2.