T28P - OpenVPN TLS error: Unsupported protocol

T28P - OpenVPN TLS error: Unsupported protocol - Printable Version

+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: Phone specific topic (/forumdisplay.php?fid=12)
+---- Forum: T2xP Series (/forumdisplay.php?fid=21)
+---- Thread: T28P - OpenVPN TLS error: Unsupported protocol (/showthread.php?tid=46774)

T28P - OpenVPN TLS error: Unsupported protocol - 1sae - 07-18-2023 06:50 AM

Hi I know this phone is pretty old now, but I'm not in the habit of replacing business phones every few years. I have an off site employee that we gave a T28P phone to that has been connecting through openvpn for a couple of years now with no problem. My office firewall is pfSense and was using the 2.6 release with the yealink 2.73.0.50 firmware.

My issue came out when I updated pfSense to v2.7 that updated openvpn. Now I get the following error in the phone log:

Code:

Jul 17 22:16:33 openvpn[439]: TLS Error: TLS handshake failed

Jul 17 22:16:33 openvpn[439]: SIGUSR1[soft,tls-error] received, process restarting

Jul 17 22:16:35 openvpn[439]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Jul 17 22:16:35 openvpn[439]: Re-using SSL/TLS context

Jul 17 22:16:35 openvpn[439]: UDPv4 link local (bound): [undef]:1194

Jul 17 22:16:35 openvpn[439]: UDPv4 link remote: 76.XXX.XXX.XX:1197

and get this in my firewall log:

Code:

Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only

Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol

Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS_ERROR: BIO read tls_read_plaintext error

Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS Error: TLS object -> incoming plaintext read error

Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS Error: TLS handshake failed

My guess is that the phone is using an old version of openvpn because the same configuration worked before. Here's a copy of my vpn.cnf:

Code:

remote XXX.XXXXX.com 1197 udp

dev tun

persist-tun

persist-key

##ncp-ciphers AES-128-CBC:AES-256-CBC

cipher AES-128-CBC

auth SHA1

tls-client

client

resolv-retry infinite

ca /yealink/config/openvpn/keys/ca.crt

cert /yealink/config/openvpn/keys/client1.crt

key /yealink/config/openvpn/keys/client1.key

remote-cert-tls server

explicit-exit-notify

auth-nocache

I've also tried a number of different ciphers that didn't work (BF-CBC, CF-CFB, AES-256-CBC, AES-128-GCM).

Any suggestions would be greatly appreciated!