Problem connecting to VPN since last 1.5.7 update

Got a problem with Viscosity or need help? Ask here!

Slizz

Posts: 6
Joined: Fri Jun 19, 2015 2:50 am

Post by Slizz » Fri Jun 19, 2015 2:57 am
Hi,

Since I upgraded this morning to the new version 1.5.7, I can't connect anymore to my VPN. It was working fine before I upgraded it.

Each time I try to connect I get this in the logs:

juin 18 12:54:23: TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
juin 18 12:54:23: TLS Error: TLS object -> incoming plaintext read error
juin 18 12:54:23: TLS Error: TLS handshake failed
juin 18 12:54:23: SIGUSR1[soft,tls-error] received, process restarting
juin 18 12:54:23: State changed to Connecting

I'm using the VPN server in my RT-AC66U router. Like I said, everything was fine before the update.

How can I fix this or how can I reverse my Viscosity client to the previous version ?

Slizz

Posts: 6
Joined: Fri Jun 19, 2015 2:50 am

Post by Slizz » Fri Jun 19, 2015 4:32 am
It seems that this new version 1.5.7 patches a vulnerability (logjam) and since the update, I can't connect to my VPN anymore.

The OpenVPN server is served from my Asus RT-AC66U router. Probably in the near future, Asus will update the firmware to fix it, so we can use larger keys.

But until they do, I need to be able to connect to it, and the only way to do so, is to reverse to the 1.5.6 version.

I don't see on your site, where I could get it back.

Is there a way to get back that version because there will be a lot of unhappy clients using VPN servers on Asus routers, that will get in the same situation, not beeing able to connect anymore ???

Eric

User avatar
Posts: 966
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Fri Jun 19, 2015 1:42 pm
Hi Slizz,

OpenSSL includes a number of important security updates, including blocking very, very weak Diffie-Hellman (DH) key lengths (less than 768bits). Weak keys are susceptible to a man-in-the-middle attack known as Logjam, which could result in an attacker decrypting your VPN connection:
https://weakdh.org

OpenSSL will be raising the minimum requirements even further to 1024bits in the next update, however at least 2048bits is recommended for a secure connection.

It appears your connection attempt is being blocked as your OpenVPN server’s DH key length is less than 768bits:

> Jun 18 20:49:24: TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small

I’d strongly recommend regenerating the DH parameters file and certificate/key on your OpenVPN server.
Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
3 posts Page 1 of 1