"Secure connection failed" via openVPN tunnels with palemoon

[chemlud]

HI

I have two OPNsense (LibreSSL) latest (different locations), connected to a pfSense (latest) via an openVPN tunnel each.

Accessing these OPNsenses from respective LAN via palemoon (latest) works just fine, only cipher allowed in OPNsense is CHACHA20-Poly1305-sha256 for reaching the sense GUI.

When I try to access the GUIs from then LAN of the pfsense via the openVPN tunnel, palemoon refuses to connect (Error code: SSL_ERROR_NO_CYPHER_OVERLAP), although it works fine from LAN.

Iirc the problems started with 21.7, this has been working for months before. Firefox (latest) complains about the certificate but makes a connection to the opnsense after making an exception.

[chemlud]

Could that be something like this here

https://github.com/opnsense/core/issues/4042

??

[chemlud]

Problem persists with 21.7.2_1 ...

OMG!

Increasing (!)

security.tls.version.min

in palemoon from 3 to 4 and the error is gone. This makes no sense at all...

[franco]

It doesn't look related. It depends on the web GUI SSL settings I suppose and whether or not TLSv1.3 is used/properly supported by palemoon.


Cheers,
Franco

[chemlud]

Hi franco!

Ceterum paribus. Only difference is: openVPN tunnel from pfsense (latest) to OPNsense (latest).

Palemoon same on both ends (latest), but from LAN (of OPNsense) I can reach the GUI (chacha20poly1305 shown correctly in both palemoons), but not via openVPN (security.tls.version.min 3 on both palemoons).

Changing

security.tls.version.min

to 4 on pfsense side and I can access the GUI.

Definitely looks like something strange on palemoon side now for me.

[chemlud]

Found this

Code: [Select]

27.8.1 (2018-03-06)
This is a small update to address some breaking issues.

Changes/fixes:

 ...
    Disabled TLS 1.3 draft support by default, because with the NSS backout we only support an older draft right now that is no longer current and may cause connectivity issues. You can manually re-enable it at your own risk in about:config by setting security.tls.version.max to 4.
and

Code: [Select]

v28.4.0 (2019-02-19)
This is a major development, stability and security release.

Changes/fixes:
...
    Exposed TLS 1.3 cipher suite prefs in about:config in case people want to disable them individually.
I can access the GUI with the "4" for TLS-min, but the browser collapses after a few seconds.

There is a problem with TLS 1.3 over openVPN? Something MTU-related, maybe?

[chemlud]

Changed back tls_min to  3, now I can access the GUI via openVPN and the browser is stable.

This makes no sense whatsoever at alllllll.....

[franco]

It's not a VPN issue I'm pretty sure since you are seeing particularly TLS related issues in the working encrypted end to end connection in the tunnel.


Cheers,
Franco