Skip to content
mac osx tls fails but windows works
Got a problem with Viscosity or need help? Ask here!
this is the log when trying to connect via mac:
Nov 23 20:58:42: Viscosity Mac 1.6.7 (1364)
Nov 23 20:58:42: Viscosity OpenVPN Engine Started
Nov 23 20:58:42: Running on Mac OS X 10.12.1
Nov 23 20:58:42: ---------
Nov 23 20:58:42: Checking reachability status of connection...
Nov 23 20:58:42: Connection is reachable. Starting connection attempt.
Nov 23 20:58:43: OpenVPN 2.3.13 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Nov 4 2016
Nov 23 20:58:43: library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
Nov 23 20:58:58: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 23 20:58:58: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1240)
Nov 23 20:58:58: UDPv4 link local: [undef]
Nov 23 20:58:58: UDPv4 link remote: [AF_INET]xxxxxxxxxxxx
Nov 23 20:58:58: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 23 20:59:59: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 23 20:59:59: TLS Error: TLS handshake failed
Nov 23 20:59:59: SIGUSR1[soft,tls-error] received, process restarting
AND that's what I get on WIN10 client
וב 23 21:02:04: State changed to Connecting
נוב 23 21:02:04: Viscosity Windows 1.6.6 (1461)
נוב 23 21:02:04: Running on Microsoft Windows 10 Pro
נוב 23 21:02:04: Bringing up interface...
נוב 23 21:02:04: Checking reachability status of connection...
נוב 23 21:02:04: Connection is reachable. Starting connection attempt.
נוב 23 21:02:04: OpenVPN 2.3.12 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 24 2016
נוב 23 21:02:04: library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09
נוב 23 21:02:06: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
נוב 23 21:02:06: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1240)
נוב 23 21:02:06: UDPv4 link local: [undef]
נוב 23 21:02:06: UDPv4 link remote: [AF_INET]62.0.99.213:443
נוב 23 21:02:06: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
נוב 23 21:02:06: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
נוב 23 21:02:06: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
נוב 23 21:02:06: [XXXXXX Peer Connection Initiated with [AF_INET]XXXXXXX
נוב 23 21:02:10: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
נוב 23 21:02:10: open_tun, tt->ipv6=0
נוב 23 21:02:10: TAP-WIN32 device [XXXXX] opened: \\.\Global\{E88E8573-14A1-4FD0-BD13-7B04EF77C781}.tap
נוב 23 21:02:10: Notified TAP-Windows driver to set a DHCP IP/netmask of 10.255.254.128/255.255.255.0 on interface {E88E8573-14A1-4FD0-BD13-7B04EF77C781} [DHCP-serv: 10.255.254.0, lease-time: 31536000]
נוב 23 21:02:10: Successful ARP Flush on interface [24] {E88E8573-14A1-4FD0-BD13-7B04EF77C781}
נוב 23 21:02:15: Initialization Sequence Completed
נוב 23 21:02:18: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/ar ... e-present/
Server - 10.53.97.15:53; Lookup Type - Split; Domains - None
Server - 10.0.0.138:53; Lookup Type - Any; Domains - Home.
Nov 23 20:58:42: Viscosity Mac 1.6.7 (1364)
Nov 23 20:58:42: Viscosity OpenVPN Engine Started
Nov 23 20:58:42: Running on Mac OS X 10.12.1
Nov 23 20:58:42: ---------
Nov 23 20:58:42: Checking reachability status of connection...
Nov 23 20:58:42: Connection is reachable. Starting connection attempt.
Nov 23 20:58:43: OpenVPN 2.3.13 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Nov 4 2016
Nov 23 20:58:43: library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
Nov 23 20:58:58: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 23 20:58:58: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1240)
Nov 23 20:58:58: UDPv4 link local: [undef]
Nov 23 20:58:58: UDPv4 link remote: [AF_INET]xxxxxxxxxxxx
Nov 23 20:58:58: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 23 20:59:59: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 23 20:59:59: TLS Error: TLS handshake failed
Nov 23 20:59:59: SIGUSR1[soft,tls-error] received, process restarting
AND that's what I get on WIN10 client
וב 23 21:02:04: State changed to Connecting
נוב 23 21:02:04: Viscosity Windows 1.6.6 (1461)
נוב 23 21:02:04: Running on Microsoft Windows 10 Pro
נוב 23 21:02:04: Bringing up interface...
נוב 23 21:02:04: Checking reachability status of connection...
נוב 23 21:02:04: Connection is reachable. Starting connection attempt.
נוב 23 21:02:04: OpenVPN 2.3.12 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 24 2016
נוב 23 21:02:04: library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09
נוב 23 21:02:06: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
נוב 23 21:02:06: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1240)
נוב 23 21:02:06: UDPv4 link local: [undef]
נוב 23 21:02:06: UDPv4 link remote: [AF_INET]62.0.99.213:443
נוב 23 21:02:06: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
נוב 23 21:02:06: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
נוב 23 21:02:06: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
נוב 23 21:02:06: [XXXXXX Peer Connection Initiated with [AF_INET]XXXXXXX
נוב 23 21:02:10: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
נוב 23 21:02:10: open_tun, tt->ipv6=0
נוב 23 21:02:10: TAP-WIN32 device [XXXXX] opened: \\.\Global\{E88E8573-14A1-4FD0-BD13-7B04EF77C781}.tap
נוב 23 21:02:10: Notified TAP-Windows driver to set a DHCP IP/netmask of 10.255.254.128/255.255.255.0 on interface {E88E8573-14A1-4FD0-BD13-7B04EF77C781} [DHCP-serv: 10.255.254.0, lease-time: 31536000]
נוב 23 21:02:10: Successful ARP Flush on interface [24] {E88E8573-14A1-4FD0-BD13-7B04EF77C781}
נוב 23 21:02:15: Initialization Sequence Completed
נוב 23 21:02:18: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/ar ... e-present/
Server - 10.53.97.15:53; Lookup Type - Split; Domains - None
Server - 10.0.0.138:53; Lookup Type - Any; Domains - Home.
Hi ndol,
Please see the following support article for things to check and try:
http://www.sparklabs.com/support/kb/art ... 0-seconds/
I would also recommend addressing the following warning, as bad or invalid MTU/packet-size settings can result in connectivity issues:
James
Please see the following support article for things to check and try:
http://www.sparklabs.com/support/kb/art ... 0-seconds/
I would also recommend addressing the following warning, as bad or invalid MTU/packet-size settings can result in connectivity issues:
Code: Select all
Cheers,WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1240)
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Viscosity for Mac was OK until few days ago.
While using Viscosity for Windows, I can reach the server and open a connection with same configuration from the same network.
I've changed the MTU to 1500.
still... No success - here's the log
[BTW I see that OpenVPN 2.3.13 is from Nov4. Is it related to the problem? Is there a way to roll back to previous version?]
Nov 24 19:53:30: Viscosity Mac 1.6.7 (1364)
Nov 24 19:53:30: Viscosity OpenVPN Engine Started
Nov 24 19:53:30: Running on Mac OS X 10.12.1
Nov 24 19:53:30: ---------
Nov 24 19:53:30: Checking reachability status of connection...
Nov 24 19:53:30: Connection is reachable. Starting connection attempt.
Nov 24 19:53:31: OpenVPN 2.3.13 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Nov 4 2016
Nov 24 19:53:31: library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
Nov 24 19:53:39: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 24 19:53:39: UDPv4 link local: [undef]
Nov 24 19:53:39: UDPv4 link remote: [AF_INET]XXXXXXXX
Nov 24 19:53:39: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 24 19:54:39: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 24 19:54:39: TLS Error: TLS handshake failed
Nov 24 19:54:39: SIGUSR1[soft,tls-error] received, process restarting
While using Viscosity for Windows, I can reach the server and open a connection with same configuration from the same network.
I've changed the MTU to 1500.
still... No success - here's the log
[BTW I see that OpenVPN 2.3.13 is from Nov4. Is it related to the problem? Is there a way to roll back to previous version?]
Nov 24 19:53:30: Viscosity Mac 1.6.7 (1364)
Nov 24 19:53:30: Viscosity OpenVPN Engine Started
Nov 24 19:53:30: Running on Mac OS X 10.12.1
Nov 24 19:53:30: ---------
Nov 24 19:53:30: Checking reachability status of connection...
Nov 24 19:53:30: Connection is reachable. Starting connection attempt.
Nov 24 19:53:31: OpenVPN 2.3.13 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Nov 4 2016
Nov 24 19:53:31: library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
Nov 24 19:53:39: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 24 19:53:39: UDPv4 link local: [undef]
Nov 24 19:53:39: UDPv4 link remote: [AF_INET]XXXXXXXX
Nov 24 19:53:39: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 24 19:54:39: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 24 19:54:39: TLS Error: TLS handshake failed
Nov 24 19:54:39: SIGUSR1[soft,tls-error] received, process restarting
After going back to 1.6.6, Viscosity is getting connected again.. here's what I did:
1. Quit Viscosity
2. Got rid of two kext files:
sudo kextunload -b com.viscosityvpn.Viscosity.tap
sudo kextunload -b com.viscosityvpn.Viscosity.tun
3. Got Viscosity 1.6.6 from Cnet and installed it
4. Got connected.
Here is connection log:
Nov 25 15:55:15: Viscosity Mac 1.6.6 (1358)
Nov 25 15:55:15: Viscosity OpenVPN Engine Started
Nov 25 15:55:15: Running on Mac OS X 10.12.1
Nov 25 15:55:15: ---------
Nov 25 15:55:15: Checking reachability status of connection...
Nov 25 15:55:15: Connection is reachable. Starting connection attempt.
Nov 25 15:55:17: OpenVPN 2.3.12 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Aug 24 2016
Nov 25 15:55:17: library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09
Nov 25 15:55:26: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 25 15:55:26: UDPv4 link local: [undef]
Nov 25 15:55:26: UDPv4 link remote: [AF_INET]XXXXXXX
Nov 25 15:55:26: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 25 15:55:26: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1578', remote='link-mtu 1314'
Nov 25 15:55:26: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1272'
Nov 25 15:55:26: WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic'
Nov 25 15:55:26: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Nov 25 15:55:26: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Nov 25 15:55:26: [se.b-gur.com] Peer Connection Initiated with [AF_INET]XXXXX
Nov 25 15:55:31: TUN/TAP device /dev/tap0 opened
Nov 25 15:55:31: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 25 15:55:31: /sbin/ifconfig tap0 delete
Nov 25 15:55:31: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Nov 25 15:55:31: /sbin/ifconfig tap0 10.255.254.136 netmask 255.255.255.0 mtu 1500 up
Nov 25 15:55:31: Initialization Sequence Completed
Nov 25 15:55:31: DHCP enabled on tap interface tap0
Nov 25 15:55:32: Disabling DHCP on interface tap0 (not required)
Nov 25 15:55:32: DNS mode set to: Split
Nov 25 15:55:32: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/ar ... e-present/
Nov 25 15:55:50: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Nov 25 15:56:10: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
1. Quit Viscosity
2. Got rid of two kext files:
sudo kextunload -b com.viscosityvpn.Viscosity.tap
sudo kextunload -b com.viscosityvpn.Viscosity.tun
3. Got Viscosity 1.6.6 from Cnet and installed it
4. Got connected.
Here is connection log:
Nov 25 15:55:15: Viscosity Mac 1.6.6 (1358)
Nov 25 15:55:15: Viscosity OpenVPN Engine Started
Nov 25 15:55:15: Running on Mac OS X 10.12.1
Nov 25 15:55:15: ---------
Nov 25 15:55:15: Checking reachability status of connection...
Nov 25 15:55:15: Connection is reachable. Starting connection attempt.
Nov 25 15:55:17: OpenVPN 2.3.12 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Aug 24 2016
Nov 25 15:55:17: library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09
Nov 25 15:55:26: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 25 15:55:26: UDPv4 link local: [undef]
Nov 25 15:55:26: UDPv4 link remote: [AF_INET]XXXXXXX
Nov 25 15:55:26: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 25 15:55:26: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1578', remote='link-mtu 1314'
Nov 25 15:55:26: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1272'
Nov 25 15:55:26: WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic'
Nov 25 15:55:26: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Nov 25 15:55:26: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Nov 25 15:55:26: [se.b-gur.com] Peer Connection Initiated with [AF_INET]XXXXX
Nov 25 15:55:31: TUN/TAP device /dev/tap0 opened
Nov 25 15:55:31: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 25 15:55:31: /sbin/ifconfig tap0 delete
Nov 25 15:55:31: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Nov 25 15:55:31: /sbin/ifconfig tap0 10.255.254.136 netmask 255.255.255.0 mtu 1500 up
Nov 25 15:55:31: Initialization Sequence Completed
Nov 25 15:55:31: DHCP enabled on tap interface tap0
Nov 25 15:55:32: Disabling DHCP on interface tap0 (not required)
Nov 25 15:55:32: DNS mode set to: Split
Nov 25 15:55:32: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/ar ... e-present/
Nov 25 15:55:50: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Nov 25 15:56:10: FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Hi ndol,
I think we might have already addressed this via a email support request, but just in case:
OpenVPN and OpenSSL regularly remove/block certain ciphers and key sizes that are no longer secure and considered trivially easy to attack and decrypt. It’s likely that your OpenVPN server is using one of these ciphers that was blocked in the latest OpenVPN/OpenSSL update. Updating the cipher on your server should allow you to connect again.
It’s recommended that you address the following warning, which would be related " WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.”. Information about this can be found mid-way down in the following blog post:
http://www.sparklabs.com/blog/viscosity ... ion-1-6-6/
You may also like to consider addressing the "FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented” error, which indicates one end has the “fragment” option set while the other end doesn’t. This can result in slowing down of the VPN connection in some instances.
Cheers,
James
I think we might have already addressed this via a email support request, but just in case:
OpenVPN and OpenSSL regularly remove/block certain ciphers and key sizes that are no longer secure and considered trivially easy to attack and decrypt. It’s likely that your OpenVPN server is using one of these ciphers that was blocked in the latest OpenVPN/OpenSSL update. Updating the cipher on your server should allow you to connect again.
It’s recommended that you address the following warning, which would be related " WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.”. Information about this can be found mid-way down in the following blog post:
http://www.sparklabs.com/blog/viscosity ... ion-1-6-6/
You may also like to consider addressing the "FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented” error, which indicates one end has the “fragment” option set while the other end doesn’t. This can result in slowing down of the VPN connection in some instances.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
7 posts
Page 1 of 1