openvpn: option tls_cipher is ignored
Username: Slenderchat
Origin: https://bugs.openwrt.org/index.php?do=details&task_id=2475
Devices: TL-WR841NDv9 and TL-WR840Nv4 both running OpenWRT SNAPSHOT, r10920-0cc87b3b
The first one runs openvpn-mbedtls 2.4.7 using mbedtls 2.16.2 as server, the second one runs openvpn-openssl 2.4.7 using openssl 1.1.1c as client
Steps to reproduce:
1.Add “option tls_cipher ‘
TLS
-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256’” or “option tls_cipher ‘
TLS
-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256’” to /etc/config/openvpn of both client and server
2.Execute /etc/init.d/openvpn restart on both
The option has no effect and is not being written to /var/etc/openvpn-*.conf on both routers
Both ciphersuites is listed in “openvpn –show-tls” output of both.
Executing openvpn command with “–tls-cipher” directly do have effect
Supplying “:” separated list as argument to “option tls_cipher” do not work either
/etc/config/openvpn of the server:
config openvpn {instance} option enabled 1 option local {IP} option port 1194 option proto udp option dev tun0 option ca /etc/openvpn/pki/ca.crt option cert /etc/openvpn/pki/{server}.crt option key /etc/openvpn/pki/{server}.key option dh /etc/openvpn/pki/dh.pem option tls_auth /etc/openvpn/pki/tls.key option tls_cipher 'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' option server "192.168.0.0 255.255.252.0 nopool" option topology subnet option client_config_dir /etc/openvpn/ccd option client_to_client 1 option keepalive "10 120" option cipher AES-128-GCM option auth SHA224 option ncp_disable 1 option persist_key 1 option persist_tun 1 option user nobody option status /tmp/openvpn-status.log option verb 4
/etc/config/openvpn of the client:
config openvpn {instance} option enabled 1 option client 1 option dev tun0 option proto udp option remote "{IP} 1194" option resolv_retry infinite option nobind 1 option persist_key 1 option persist_tun 1 option user nobody option ca /etc/openvpn/pki/ca.crt option cert /etc/openvpn/pki/{client}.crt option key /etc/openvpn/pki/{client}.key option tls_auth /etc/openvpn/pki/tls.key option tls_cipher 'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' option cipher AES-128-GCM option auth SHA224 option ncp_disable 1 option verb 4
/var/etc/openvpn-{instance}.conf of the server:
client-to-client ncp-disable persist-key persist-tun auth SHA224 ca /etc/openvpn/pki/ca.crt cert /etc/openvpn/pki/{server}.crt cipher AES-128-GCM client-config-dir /etc/openvpn/ccd dev tun0 dh /etc/openvpn/pki/dh.pem keepalive 10 120 key /etc/openvpn/pki/{server}.key local {IP} port 1194 proto udp server 192.168.0.0 255.255.252.0 nopool status /tmp/openvpn-status.log tls-auth /etc/openvpn/pki/tls.key topology subnet user nobody verb 4
/var/etc/openvpn-{instance}.conf of the client:
client ncp-disable nobind persist-key persist-tun auth SHA224 ca /etc/openvpn/pki/ca.crt cert /etc/openvpn/pki/{client}.crt cipher AES-128-GCM dev tun0 key /etc/openvpn/pki/{client}.key proto udp remote {IP} 1194 resolv-retry infinite tls-auth /etc/openvpn/pki/tls.key user nobody verb 4
“logread -e openvpn” output of the server:
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (mbed TLS)] [EPOLL] [AEAD] Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: library versions: mbed TLS 2.16.2 Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Diffie-Hellman initialized with 2048 bit key Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Outgoing Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Incoming Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: TLS-Auth MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ] Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: TUN/TAP device tun0 opened Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: TUN/TAP TX queue length set to 100 Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: /sbin/ifconfig tun0 192.168.0.1 netmask 255.255.252.0 mtu 1500 broadcast 192.168.3.255 Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ] Sun Sep 1 09:11:07 2019 daemon.warn openvpn({server})[2870]: Could not determine IPv4/IPv6 protocol. Using AF_INET Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Socket Buffers: R=[163840->163840] S=[163840->163840] Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: UDPv4 link local (bound): [AF_INET]{SERVER_IP}:1194 Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: UDPv4 link remote: [AF_UNSPEC] Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: UID set to nobody Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: MULTI: multi_init called, r=256 v=256 Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Initialization Sequence Completed Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: MULTI: multi_create_instance called Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Re-using SSL/TLS context Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Control Channel MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ] Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ] Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-server' Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-client' Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 TLS: Initial packet from [AF_INET]{CLIENT_IP}:58942, sid=090c350a 58339b04 Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 VERIFY OK: depth=1, CN={server}-ca Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 VERIFY OK: depth=0, CN={client} Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 peer info: IV_VER=2.4.7 Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 peer info: IV_PLAT=linux Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 peer info: IV_PROTO=2 Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256, 2048 bit key Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 [{client}] Peer Connection Initiated with [AF_INET]{CLIENT_IP}:58942 Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/{client} Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: Learn: 192.168.1.1 -> {client}/{CLIENT_IP}:58942 Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: primary virtual IP for {client}/{CLIENT_IP}:58942: 192.168.1.1 Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: internal route 192.168.1.0/24 -> {client}/{CLIENT_IP}:58942 Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: Learn: 192.168.1.0/24 -> {client}/{CLIENT_IP}:58942 Sun Sep 1 09:13:05 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 PUSH: Received control message: 'PUSH_REQUEST' Sun Sep 1 09:13:05 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 SENT CONTROL [{client}]: 'PUSH_REPLY,route-gateway 192.168.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.1.1 255.255.252.0,peer-id 0' (status=1)
“logread -e openvpn” output of the client:
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [EPOLL] [AEAD] Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: library versions: OpenSSL 1.1.1c 28 May 2019 Sun Sep 1 09:10:44 2019 daemon.warn openvpn({client})[29010]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Outgoing Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Incoming Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Control Channel MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ] Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ] Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-client' Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-server' Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: TCP/UDP: Preserving recently used remote address: [AF_INET]{SERVER_IP}:1194 Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Socket Buffers: R=[163840->163840] S=[163840->163840] Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: UDP link local: (not bound) Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: UDP link remote: [AF_INET]{SERVER_IP}:1194 Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: TLS: Initial packet from [AF_INET]{SERVER_IP}:1194, sid=4963e57f 95fa1ba4 Sun Sep 1 09:10:45 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=1, CN={server}-ca Sun Sep 1 09:10:45 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=0, CN={server} Sun Sep 1 09:10:46 2019 daemon.notice openvpn({client})[29010]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 2048 bit RSA Sun Sep 1 09:10:46 2019 daemon.notice openvpn({client})[29010]: [{server}] Peer Connection Initiated with [AF_INET]{SERVER_IP}:1194 Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: SENT CONTROL [{server}]: 'PUSH_REQUEST' (status=1) Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.1.1 255.255.252.0,peer-id 0' Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: timers and/or timeouts modified Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: --ifconfig/up options modified Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: route-related options modified Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: peer-id set Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: adjusting link_mtu to 1624 Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:4 ET:0 EL:3 ] Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: TUN/TAP device tun0 opened Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: TUN/TAP TX queue length set to 100 Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: /sbin/ifconfig tun0 192.168.1.1 netmask 255.255.252.0 mtu 1500 broadcast 192.168.3.255 Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: UID set to nobody Sun Sep 1 09:10:47 2019 daemon.warn openvpn({client})[29010]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Initialization Sequence Completed Sun Sep 1 09:12:58 2019 daemon.notice openvpn({client})[29010]: [{server}] Inactivity timeout (--ping-restart), restarting Sun Sep 1 09:12:58 2019 daemon.notice openvpn({client})[29010]: TCP/UDP: Closing socket Sun Sep 1 09:12:58 2019 daemon.notice openvpn({client})[29010]: SIGUSR1[soft,ping-restart] received, process restarting Sun Sep 1 09:12:58 2019 daemon.notice openvpn({client})[29010]: Restart pause, 5 second(s) Sun Sep 1 09:13:03 2019 daemon.warn openvpn({client})[29010]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Re-using SSL/TLS context Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Control Channel MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ] Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ] Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-client' Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-server' Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: TCP/UDP: Preserving recently used remote address: [AF_INET]{SERVER_IP}:1194 Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Socket Buffers: R=[163840->163840] S=[163840->163840] Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: UDP link local: (not bound) Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: UDP link remote: [AF_INET]{SERVER_IP}:1194 Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: TLS: Initial packet from [AF_INET]{SERVER_IP}:1194, sid=2796bdad af860497 Sun Sep 1 09:13:04 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=1, CN={server}-ca Sun Sep 1 09:13:04 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=0, CN={server} Sun Sep 1 09:13:04 2019 daemon.notice openvpn({client})[29010]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 2048 bit RSA Sun Sep 1 09:13:04 2019 daemon.notice openvpn({client})[29010]: [{server}] Peer Connection Initiated with [AF_INET]{SERVER_IP}:1194 Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: SENT CONTROL [{server}]: 'PUSH_REQUEST' (status=1) Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.1.1 255.255.252.0,peer-id 0' Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: timers and/or timeouts modified Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: --ifconfig/up options modified Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: route-related options modified Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: peer-id set Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: adjusting link_mtu to 1624 Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:4 ET:0 EL:3 ] Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Preserving previous TUN/TAP instance: tun0 Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Initialization Sequence Completed