Ubuntu – Tunnelblick TLS error: The server has no TLS ciphersuites in common with the client

openvpnUbuntu

I'm trying to set up an openVPN server and connect to it with Tunnelblick. My OpenVPN version is 2.4.3. and I'm using EastRSA-3.0.1. My certificates are using elliptical curve secp521v1.

openvpn log

Thu Jul 6 14:56:25 2017 999.222.18.250:37144 TLS error: The server
has no TLS ciphersuites in common with the client. Your –tls-cipher
setting might be too restrictive. Thu Jul 6 14:56:25 2017
999.222.18.250:37144 OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Thu Jul 6 14:56:25
2017 999.222.18.250:37144 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jul 6 14:56:25 2017 999.222.18.250:37144 TLS Error: TLS object ->
incoming plaintext read error Thu Jul 6 14:56:25 2017
999.222.18.250:37144 TLS Error: TLS handshake f

Here is my server.conf

dev tun 
proto udp
port 1194 
user nobody
group nogroup
ca ca.crt 
cert server.crt # SWAP WITH YOUR CRT NAME
key server.key # SWAP WITH YOUR KEY NAME
dh none
server 192.168.8.0 255.255.255.0 

ifconfig-pool-persist ipp.txt 

# ncp-disable
cipher AES-256-CBC
auth SHA512

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

tls-version-min 1.2
push "dhcp-option DNS 8.8.8.8" 
push "dhcp-option DNS 8.8.4.4"
compress lz4-v2 
push "compress lz4-v2"
keepalive 10 120
persist-key 
persist-tun 
tls-server
tls-auth /usr/local/share/ca-certificates/ta.key 0
key-direction 0
status /var/log/openvpn2-status.log
log /var/log/openvpn2.log 
verb 3
daemon

client.ovpn

client
proto udp
dev tun
remote vpn.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
tls-version-min 1.2
tls-client
ping 15
ping-restart 120
route 10.0.0.0 255.0.0.0
route-nopull
key-direction 1
daemon
user nobody
group nogroup
<ca>
[Security-related line(s) omitted]
</ca>
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
<tls-auth>
[Security-related line(s) omitted]
</tls-auth>

Best Answer

The solution was that I was using the wrong tls-cipher for elliptical curve certificates. The correct tls-cipher is 

tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
Related Topic