Re: Openvpn with brainpoolP256r1 works for debian clients only
- Date: Mon, 8 Apr 2019 09:55:53 -0400
- From: Dan Ritter <dsr@xxxxxxxxxxxxxxxx>
- Subject: Re: Openvpn with brainpoolP256r1 works for debian clients only
> Hi all,
> I'm using openvpn with certificates based on elliptic curves form the
> brainpoolP256r1 group. This works fine if the server and the clients run
> with debian as operating system.
> If I try to connect with a client based on windows or centos using the
> same client.conf, the handshake fails and the server logs show the
> TLS error: The server has no TLS ciphersuites in common with the client.
> Your --tls-cipher setting might be too restrictive.
> If I compare the ClientHello messages, the client in debian lists the
> brainpoolP256r1 in the Supported Group section, while the client on
> windows and centos do not. (See below).
> My question:
> Why does debian send this extended list of supported groups compared to
> the other operating systems? Are there special compile options for
> openvpn or openssl?
There are many different options, and openssl tries to support
many so that something can be found to work.
Incompatibility across operating systems and versions is
expected. Pick something that works for your situation.