OpenVPN TLS error: Unsupported protocol - Yealink IP Phone

sae

Hi my office is using pretty old yealink T28 phones, but I'm not in the habit of replacing business phones every few years. I have an off site employee that we gave a T28P phone to that has been connecting through openvpn for a couple of years now with no problem. The pfSense ver was 2.6 with the last yealink firmware which dates back to May 2015.

My issue came out when I updated pfSense to v2.7. Now I get the following error in the phone log:

Jul 17 22:16:33 openvpn[439]: TLS Error: TLS handshake failed
Jul 17 22:16:33 openvpn[439]: SIGUSR1[soft,tls-error] received, process restarting
Jul 17 22:16:35 openvpn[439]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jul 17 22:16:35 openvpn[439]: Re-using SSL/TLS context
Jul 17 22:16:35 openvpn[439]: UDPv4 link local (bound): [undef]:1194
Jul 17 22:16:35 openvpn[439]: UDPv4 link remote: 76.XXX.XXX.XX:1197

and get this in my firewall log:

Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS_ERROR: BIO read tls_read_plaintext error
Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS Error: TLS object -> incoming plaintext read error
Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS Error: TLS handshake failed

My guess is that the phone is using an old version of openvpn because the same configuration worked before. Here's a copy of my vpn.cnf:

remote XXX.XXXXX.com 1197 udp
dev tun
persist-tun
persist-key
##ncp-ciphers AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client1.crt
key /yealink/config/openvpn/keys/client1.key
remote-cert-tls server
explicit-exit-notify
auth-nocache

I've also tried a number of different ciphers that didn't work (BF-CBC, CF-CFB, AES-256-CBC, AES-128-GCM).

Any suggestions would be greatly appreciated!

virusbcn

@sae

I am in the same situation as you, did you manage to solve the problem? How?

sae

@virusbcn unfortunately, there is no fix since yealink doesn't support the phone anymore. Didn't find a way to make pfsense's ovpn backward compatible with previous versions. I had an old linksys router and put ddwrt on it and made that the vpn client in front of the phone. It's not the best setup and for some reason even while the client is connected and I can reach the phone by internal ip's, sometimes the phone won't register unless I put the phone on the DMZ.

slu

@virusbcn

If I understand the log correctly you can try "tls-version-min 1.0;" in the Custom options.

https://community.openvpn.net/openvpn/ticket/1211

There are reasons why TLS 1.0 was disabled by default.

sae

@slu said in OpenVPN TLS error: Unsupported protocol - Yealink IP Phone:

https://community.openvpn.net/openvpn/ticket/1211

Pretty sure I tried this and it didn't work. The way you have to upload the config to the phone just seemed to ignore that.

slu

@sae
not on the phone, on the OpenVPN server / pfSense.

sae

@slu Pretty sure I tried that too, but I can try again to make sure unless @virusbcn want's to give it a shot first.

jimp

Even if you get past that encryption error it will reject the certificates since Yealink's firmware only supports SHA1 certificates, and SHA1 certificates are not valid on OpenSSL 3.x