Hi folks,
I'm running ASG 8.305 and all things are working fine so far :)
I just want to give a little hint and may be, get a little bit feedback from you about opening a security leak if performing a suggestion I read at another site.
So what's going on?
Well, my wife owns a Mac Book Pro. For establishing SSL VPN connections to our ASG we're using the software "viscosity" from sparklabs. This solution worked fine for us for a couple of years now and with all OS X upgrades from 10.5 up to 10.8 (mountain lion - just a few days ago).
After booting the Mac Book Pro today I got a hint a new version (1.4.1) of "viscosity" is available. I downloaded and installed it and bang - no SSL-VPN connections to our ASG could be established anymore :mad:
Well, diving at little bit deeper in the error log (I know, actually no Mac (standard) user behavior ... ;) ) I found the reason for the strange behavior: TLS Error: TLS handshake failed.
In more detail:
Well, the guys a "sparklabs" say:
"Viscosity 1.4 includes an upgrade to OpenVPN 2.3. OpenVPN 2.3 brings a number of feature additions and changes to OpenVPN."
Furthermore they say:
"... you are most likely trying to connect to an Astaro or Watchguard server. Unfortunately the "tls-remote" commands these servers generate are out of date and no longer accepted by the latest version of OpenSSL and OpenVPN."
The full text is available here.
Furthermore they recommended to remove this entry
form the client's settings. Having done so, SSL-VPN connections can be established again.
Now, for me there come up two quesitons:
Greetinx
Guido
I'm running ASG 8.305 and all things are working fine so far :)
I just want to give a little hint and may be, get a little bit feedback from you about opening a security leak if performing a suggestion I read at another site.
So what's going on?
Well, my wife owns a Mac Book Pro. For establishing SSL VPN connections to our ASG we're using the software "viscosity" from sparklabs. This solution worked fine for us for a couple of years now and with all OS X upgrades from 10.5 up to 10.8 (mountain lion - just a few days ago).
After booting the Mac Book Pro today I got a hint a new version (1.4.1) of "viscosity" is available. I downloaded and installed it and bang - no SSL-VPN connections to our ASG could be established anymore :mad:
Well, diving at little bit deeper in the error log (I know, actually no Mac (standard) user behavior ... ;) ) I found the reason for the strange behavior: TLS Error: TLS handshake failed.
In more detail:
Code:
TLS_ERROR: BIO read tls_read_plaintext error:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
"Viscosity 1.4 includes an upgrade to OpenVPN 2.3. OpenVPN 2.3 brings a number of feature additions and changes to OpenVPN."
Furthermore they say:
"... you are most likely trying to connect to an Astaro or Watchguard server. Unfortunately the "tls-remote" commands these servers generate are out of date and no longer accepted by the latest version of OpenSSL and OpenVPN."
The full text is available here.
Furthermore they recommended to remove this entry
Code:
tls-remote "/C=de/L=Musterhausen/O=Musterfirma/CN=otto/emailAddress=admin@musterfirma.xyz"
Now, for me there come up two quesitons:
- Do I open a security leak by removing the tls-remote entry in the client ?
- Is it really true that current version of ASG (i.e. 8.305) generates "outdated code which is no longer accepted by the latest version of OpenSSL and OpenVPN"? If so, when will we see an update? I'm asking this because we are talking about "security" software, don't we?
Greetinx
Guido