Description: The licensing APIs used to license Access Server instances will cease supporting TLS 1.0 and TLS 1.1 connections as part of a strategy by Amazon and OpenVPN to meet modern security requirements.
You may encounter error messages about "tlsv1 alert protocol version
" and "ssl handshake failure
".
This relates to our security advisory: Important update for our Amazon AWS customers.
Access Server tiered instances revert to free license
Amazon dropped support for TLS 1.0 and TLS 1.1 connections on June 28th, 2023. So, if running an Access Server version older than 2.7.3, your Access Server instance loses its license and reverts to only two allowed connections:
How to check if you're affected by this issue
This issue affects Access Servers with the following criteria:
- Launched using AWS tiered instances. (Refer to our FAQ on AWS tiered instances licensing model if you needed.)
- Running an older Access Server version, specifically older than 2.7.3.
To check if you're affected by this issue, you need to check your Access Server version and enable a debug flag for AWS to detect the issue. Follow the steps for each below.
Step 1: Check the Access Server Version
You can check your Access Server version from the Admin Web UI or the command-line interface (CLI).
Option 1: Using the Admin Web UI
- Sign into your Admin Web UI.
- The version displays on the Status Overview page and at the top left.
Option 2: Using the CLI
- Connect to your Access Server's console with root privileges.
- Enter this command:
cat /usr/local/openvpn_as/etc/VERSION
- The version displays in the output.
If you're running a version older than 2.7.3, you will be affected by this issue. Below is an example output which shows that the version is 2.6.1, hence this Access Server instance is affected:
root@openvpnas2:/home/openvpnas# cat /usr/local/openvpn_as/etc/VERSION
export AS_VERSION=2.6.1
Step 2: Enable AWS debug flag on Access Server
You can enable the debug flag, DEBUG_AWSINFO, on Access Server to detect this issue.
- Connect to your Access Server's console with root privileges.
- Open as.conf with nano text editor:
sudo su
nano /usr/local/openvpn_as/etc/as.conf - Add this line at the bottom of the file:
DEBUG_AWSINFO=1
- Save and exit with ctrl+X, Y, and enter.
- Restart the Access Server service to the changes take effect:
service openvpnas restart
- After the reboot, run this command to filter for the words "AWS INFO" in the log file:
cat /var/log/openvpnas.log | grep -i "AWS INFO"
- The debug information regarding AWS tiered licensing displays.
- If your Access Server is affected, an error displays below the TLS/SSL handshake error:
2023-07-11 16:24:45+0000 [MyHTTPPageGetter,client] AWS INFO: error in product code validation, will retry in 30 seconds: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert protocol version'), ('SSL routines', 'ssl3_read_bytes', 'ssl handshake failure')]: aws/info:232 (OpenSSL.SSL.Error)
Upgrade Access Server to resolve the issue
If your Access Server is affected, you need to upgrade your Access Server to 2.7.3 or newer.
For more info about this issue, you can check the below link for our security advisory:
AWS Tiered License Issue due to TLS 1.0/1.1 deprecation
For more info about upgrading Access Server, you can check the below YouTube link:
Updating your OpenVPN Access Server to the latest version
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.