Tunnelblick TLS错误:服务器没有与客户端相同的TLS加密套件。

Question

我正在尝试设置一个openVPN服务器并使用Tunnelblick连接到它。我的OpenVPN版本是2.4.3。我用的是EastRSA-3.0.1。我的证书使用椭圆曲线secp521v1。

openvpn日志

清华7月6日14:56:25 2017年999.222.18.250:37144 TLS错误:服务器没有与客户端相同的TLS密件。你的.tls密码设置可能太严格了。清华7月6日:56:25 2017年999.222.18.250:37144 OpenSSL:错误:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no共享密码清华7月6日:56:25 2017年999.222.18.250:37144 TLS_ERROR: BIO读取tls_read_plaintext错误清华7月14日:25 2017年999.222.18.250:37144 TLS对象->传入明文错误清华7月6日14:56:25 999.222.18.250:37144 TLS错误: TLS握手

这是我的server.conf

dev tun 
proto udp
port 1194 
user nobody
group nogroup
ca ca.crt 
cert server.crt # SWAP WITH YOUR CRT NAME
key server.key # SWAP WITH YOUR KEY NAME
dh none
server 192.168.8.0 255.255.255.0 

ifconfig-pool-persist ipp.txt 

# ncp-disable
cipher AES-256-CBC
auth SHA512

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

tls-version-min 1.2
push "dhcp-option DNS 8.8.8.8" 
push "dhcp-option DNS 8.8.4.4"
compress lz4-v2 
push "compress lz4-v2"
keepalive 10 120
persist-key 
persist-tun 
tls-server
tls-auth /usr/local/share/ca-certificates/ta.key 0
key-direction 0
status /var/log/openvpn2-status.log
log /var/log/openvpn2.log 
verb 3
daemon

client.ovpn

client
proto udp
dev tun
remote vpn.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
tls-version-min 1.2
tls-client
ping 15
ping-restart 120
route 10.0.0.0 255.0.0.0
route-nopull
key-direction 1
daemon
user nobody
group nogroup
<ca>
[Security-related line(s) omitted]
</ca>
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
<tls-auth>
[Security-related line(s) omitted]
</tls-auth>

Answer 1

解决方案是，我使用了错误的tls-密码椭圆曲线证书。正确的tls-密码是

tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384