. | 11 Sep 09:22 2012
Picon

TLS_ERROR: BIO read tls_read_plaintext error: error:1408F119:lib(20):func(143):reason(281)

I started getting TLS_ERROR: BIO read tls_read_plaintext error:
error:1408F119:lib(20):func(143):reason(281) with OpenVPN 2.2.1. I
tried new certificates and DH but nothing helps. What exactly does
this error message mean?

options
client option
V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher
AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client
client expect
V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher
AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server
server option
V4 dev-type tun link-mtu 1570 tun-mtu 1500 proto UDPv4 comp-lzo cipher
AES-256-CBC auth SHA256 keysize 256 key-method 2 tls-server
server expect
V4 dev-type tun link-mtu 1570 tun-mtu 1500 proto UDPv4 comp-lzo cipher
AES-256-CBC auth SHA256 keysize 256 key-method 2 tls-client

server log:
20120911 07:06:15 192.168.3.150:54801 VERIFY OK: depth=1
20120911 07:06:15 192.168.3.150:54801 VERIFY OK: depth=0

20120911 07:06:17 N 192.168.3.150:54801 TLS_ERROR: BIO read
tls_read_plaintext error: error:1408F119:lib(20):func(143):reason(281)
20120911 07:06:17 N 192.168.3.150:54801 TLS Error: TLS object ->
incoming plaintext read error
20120911 07:06:17 N 192.168.3.150:54801 TLS Error: TLS handshake failed
20120911 07:06:17 192.168.3.150:54801 SIGUSR1[soft tls-error] received
client-instance restarting

client log:
Tue Sep 11 03:06:13 2012 us=229000 VERIFY OK
Tue Sep 11 03:06:13 2012 us=229000 VERIFY OK
Tue Sep 11 03:07:13 2012 us=836000 TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Tue Sep 11 03:07:13 2012 us=836000 TLS Error: TLS handshake failed

~# openvpn --version
OpenVPN 2.2.1 mipsel-linux [SSL] [LZO2] [EPOLL] built on Jul 20 2012
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales <at> openvpn.net>

  $ ./configure --host=mipsel-linux --exec-prefix=/usr --prefix=/
--disable-avahi --disable-cups --disable-pie --disable-relro
--disable-static --disable-swat --disable-shared-libs
--with-codepagedir=/etc/samba --with-configdir=/etc/samba
--with-included-iniparser --with-included-popt
--with-lockdir=/var/lock --with-logfilebase=/var/log
--with-nmbdsocketdir=/var/nmbd --with-piddir=/var/run
--with-privatedir=/etc/samba --with-sendfile-support
--without-cluster-support --without-ads --without-krb5 --without-ldap
--without-pam --without-winbind --without-libtdb --without-libtalloc
--without-libnetapi --without-libsmbclient --without-libsmbsharemodes
--without-libaddns
--with-shared-modules=pdb_tdbsam,pdb_wbc_sam,idmap_nss,nss_info_template,auth_winbind,auth_wbc,auth_domain
--host=mipsel-linux CPPFLAGS=-I../lzo/include
-I/home/seg/DEV/rt2880/src/router/openssl/include -L../lzo -Lopenssl
-L../lzo/src/.libs --enable-pthread --disable-plugins --enable-debug
--enable-password-save --enable-management --enable-lzo
--enable-server --enable-multihome
--with-ssl-headers=/home/seg/DEV/rt2880/src/router/openssl/include
--with-ssl-lib=openssl --with-ssl-type=openssl CFLAGS=-Os -pipe
-mips32r2 -mtune=mips32r2 -fno-caller-saves -DNEED_PRINTF
-ffunction-sections -fdata-sectio
Compile time defines:  ENABLE_CLIENT_SERVER ENABLE_DEBUG
ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME
ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LZO
USE_SSL

OS: DD-WRT v24-sp2 (07/20/12) std - build 19519

Thanks.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Gmane