search

debauchee / barrier

Open-source KVM software
Other
27.25k stars 1.5k forks source link

OpenSSL Version 1.0.2l on windows release #1556

Open ccoenen opened 2 years ago

ccoenen commented 2 years ago

What happened?

On the Wayland-Support ticket (#109) I reported this issue earlier, but it's a separate issue that only clutters that thread. Currently, my barrier on windows is in version 2.4.0 (current version at time of writing) and it seems to ship with OpenSSL 1.0.2l from 2017.

openssl 1.0.2l

on my system, there would be a more recent openssl available, this is the one on the system's PATH: openssl 1.1.1j

But from within barrier, the shipped 1.0.2l seems to be used:

[2022-02-08T10:25:23] INFO: connecting to service...
[2022-02-08T10:25:23] INFO: SSL fingerprint generated.
[2022-02-08T10:25:23] INFO: connection established
server status: not active

[2022-02-08T10:27:25] INFO: starting server
[2022-02-08T10:27:25] INFO: config file: C:/Users/user/AppData/Local/Temp/Barrier.PubDUE
[2022-02-08T10:27:25] INFO: log level: INFO
[2022-02-08T10:27:25] INFO: service command updated
[2022-02-08T10:27:26] INFO: starting new process as privileged user
[2022-02-08T10:27:26] INFO: drag and drop enabled
started server (IPv4/IPv6), waiting for clients
server status: active
[2022-02-08T10:27:35] INFO: OpenSSL 1.0.2l  25 May 2017                          <----------------
[2022-02-08T10:27:36] ERROR: ssl error occurred (system call failure)
[2022-02-08T10:27:36] ERROR: eof violates ssl protocol
[2022-02-08T10:27:36] ERROR: failed to accept secure socket
[2022-02-08T10:27:36] INFO: client connection may not be secure
[2022-02-08T10:27:37] INFO: OpenSSL 1.0.2l  25 May 2017
[2022-02-08T10:27:47] ERROR: ssl error occurred (system call failure)
[2022-02-08T10:27:47] ERROR: eof violates ssl protocol
[2022-02-08T10:27:47] ERROR: failed to accept secure socket
[2022-02-08T10:27:47] INFO: client connection may not be secure
[2022-02-08T10:27:48] INFO: OpenSSL 1.0.2l  25 May 2017

This leads to connection problems with waynergy compiled with a more recent openssl version (and therefore no matching ciphers, apparently). The connection attempts can be seen above.

(originally from https://github.com/debauchee/barrier/issues/109#issuecomment-1016539840, and I already tried the suggestions by @joshskidmore https://github.com/debauchee/barrier/issues/109#issuecomment-1016526113 and @brmnjsh https://github.com/debauchee/barrier/issues/109#issuecomment-1030988825 )

Version

v2.4.0

Git commit hash (if applicable)

3e0d758b

If applicable, where did you install Barrier from?

BarrierSetup-2.4.0-release.exe from this project's release page.

What OSes are you seeing the problem on? (Check all that apply)

Windows

What OS versions are you using?

Windows 10, Version 21H1 Build 19043.1466)

Relevant log output

(see above)

Any other information

I am trying to connect a waynergy client (linux) to the barrier server (windows)

joshskidmore commented 2 years ago

@ccoenen - I apologize for the delay in replying.

I unfortunately don't have a Windows machine to test, but I would still assume your issue is either around the SSL certificate and/or options being passed to the Barrier server or Waynergy client. I may be wrong, but I don't this this is related to your Windows OpenSSL versions. Though my Barrier server is in Linux, I thought I would share my options and configurations to see if there is something strikingly obvious.

(Linux) Barrier server:

/usr/bin/barriers \
  --config ~/.barrier.conf \
  --no-daemon \
  --enable-crypto \
  --disable-client-cert-checking \
  --debug  INFO

Waynergy client (also Linux)

/usr/bin/waynergy \
  --loglevel 1 \
  --host [IPV4_OF_ABOVE_BARRIER_SERVER] \
  --name [NAME_OF_THIS_CLIENT_MACHINE_USED_IN_BARRIERS_CONFIG] \
  --enable-crypto \
  --enable-tofu \
  --fatal-none

Whenever the Waynergy client attempts to the Barrier server, occasionally it does throw an SSL connection/protocol error, but ends up connecting on the next retry.

ccoenen commented 2 years ago

My Barrier appears to be started with this command, according to the logfile (configured from the gui, yes the "SSL" checkbox is checked.)

"C:/Program Files/Barrier/barriers.exe" \
  -f \            (=== --no-daemon)
  --no-tray \
  --debug DEBUG1 \
  --name name-redacted \
  --ipc \
  --stop-on-desk-switch \
  --enable-drag-drop \
  --profile-dir "C:\Users\redacted\AppData\Local\Barrier" \
  --disable-client-cert-checking \
  -c "C:/Users/redacted/AppData/Local/Temp/Barrier.gUvJOo" \   (=== --config)
  --address :24800

The previous parameters are not working.

I now tried manually starting barrier server with parameters more closely resembling yours:

"C:/Program Files/Barrier/barriers.exe" \
  --config "C:/Users/redacted/AppData/Local/Temp/Barrier.gUvJOo" \
  --no-daemon \
  --enable-crypto \
  --disable-client-cert-checking \
  --debug DEBUG1 \
  --name name-redacted \
  --profile-dir "C:\Users\redacted\AppData\Local\Barrier" \
  --address :24800

This still does not work. On my wanyergy/linux/client I get the same error as before, and the client is a little more forthcoming with info:

[2022-02-08T19:08:06] DEBUG: Opening new socket: F18C3100
[2022-02-08T19:08:06] INFO: OpenSSL 1.0.2l  25 May 2017
[2022-02-08T19:08:06] DEBUG1: openSSL : compiler: cl  /MD /Ox -DOPENSSL_THREADS  -DDSO_WIN32 -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_SSL2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_WEAK_SSL_CIPHERS -DOPENSSL_NO_STATIC_ENGINE
[2022-02-08T19:08:06] DEBUG1: openSSL : built on: reproducible build, date unspecified
[2022-02-08T19:08:06] DEBUG1: openSSL : VC-WIN64A
[2022-02-08T19:08:06] DEBUG1: OPENSSLDIR: "C:\OpenSSL/ssl"
[2022-02-08T19:08:06] ERROR: ssl error occurred (generic failure)
[2022-02-08T19:08:06] ERROR: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
[2022-02-08T19:08:06] ERROR: failed to accept secure socket
[2022-02-08T19:08:06] INFO: client connection may not be secure

It should be noted that --enable-crypto is the default now, and it's deprecated to explicitly specify.

I can also offer a wireshark packet capture. My client is trying to do a TLSv1.2 handshake and offers these suites as part of the Client Hello: grafik The direct response to that is the server sending back the handshake-failure: grafik

So, I tried to find which cipher suites the server would have accepted, using this script found on Stack Overflow:

$ ./test_server.sh 192.168.--.--:24800
Obtaining cipher list from LibreSSL 3.3.3.
Testing AEAD-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing AEAD-CHACHA20-POLY1305-SHA256...NO (sslv3 alert handshake failure)
Testing AEAD-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing GOST2012256-GOST89-GOST89...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing GOST2001-GOST89-GOST89...NO (sslv3 alert handshake failure)
Testing AECDH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing AES256-GCM-SHA384...YES
Testing AES256-SHA256...YES
Testing AES256-SHA...YES
Testing CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing CAMELLIA256-SHA...YES
Testing ECDHE-RSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing AES128-GCM-SHA256...YES
Testing AES128-SHA256...YES
Testing AES128-SHA...YES
Testing CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing CAMELLIA128-SHA...YES
Testing ECDHE-RSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing RC4-SHA...YES
Testing RC4-MD5...YES
Testing ECDHE-RSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing EDH-RSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing ADH-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing DES-CBC3-SHA...YES
Testing ECDHE-RSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing GOST2012256-NULL-STREEBOG256...NO (sslv3 alert handshake failure)
Testing GOST2001-NULL-GOST94...NO (sslv3 alert handshake failure)
Testing AECDH-NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-SHA256...NO (sslv3 alert handshake failure)
Testing NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-MD5...NO (sslv3 alert handshake failure)

So the overlap would be:

Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)

But somehow the server does not want to use them.

ccoenen commented 2 years ago

interestingly, barriers.exe logs this for any successful connection attempt by the tls test script:

[2022-02-08T20:11:42] DEBUG: Opening new socket: 0F68B380
[2022-02-08T20:11:42] INFO: OpenSSL 1.0.2l  25 May 2017
[2022-02-08T20:11:42] DEBUG1: openSSL : compiler: cl  /MD /Ox -DOPENSSL_THREADS  -DDSO_WIN32 -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_SSL2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_WEAK_SSL_CIPHERS -DOPENSSL_NO_STATIC_ENGINE    
[2022-02-08T20:11:42] DEBUG1: openSSL : built on: reproducible build, date unspecified
[2022-02-08T20:11:42] DEBUG1: openSSL : VC-WIN64A
[2022-02-08T20:11:42] DEBUG1: OPENSSLDIR: "C:\OpenSSL/ssl"
[2022-02-08T20:11:42] INFO: accepted secure socket
[2022-02-08T20:11:42] DEBUG1: available local ciphers:
[2022-02-08T20:11:42] DEBUG1: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
[2022-02-08T20:11:42] DEBUG1: ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
[2022-02-08T20:11:42] DEBUG1: ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-DSS-AES256-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-RSA-CAMELLIA256-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-DSS-CAMELLIA256-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(256) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
[2022-02-08T20:11:42] DEBUG1: ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
[2022-02-08T20:11:42] DEBUG1: ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-DSS-AES128-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-RSA-SEED-SHA         SSLv3 Kx=DH/RSA   Au=DH   Enc=SEED(128) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-DSS-SEED-SHA         SSLv3 Kx=DH/DSS   Au=DH   Enc=SEED(128) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-RSA-CAMELLIA128-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(128) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-DSS-CAMELLIA128-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(128) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
[2022-02-08T20:11:42] DEBUG1: AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
[2022-02-08T20:11:42] DEBUG1: AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
[2022-02-08T20:11:42] DEBUG1: PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: SRP-3DES-EDE-CBC-SHA    SSLv3 Kx=SRP      Au=SRP  Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-RSA-DES-CBC3-SHA     SSLv3 Kx=DH/RSA   Au=DH   Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DH-DSS-DES-CBC3-SHA     SSLv3 Kx=DH/DSS   Au=DH   Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
[2022-02-08T20:11:42] DEBUG1: available remote ciphers:
[2022-02-08T20:11:42] DEBUG1: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
[2022-02-08T20:11:42] INFO: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD

[2022-02-08T20:11:42] NOTE: accepted client connection
[2022-02-08T20:11:42] DEBUG: ssl connection closed
[2022-02-08T20:11:42] DEBUG1: registered event type IStreamEvents::inputReady as 41
[2022-02-08T20:11:42] DEBUG1: registered event type IStreamEvents::outputError as 42
[2022-02-08T20:11:42] DEBUG1: registered event type IStreamEvents::inputFormatError as 43
[2022-02-08T20:11:42] DEBUG1: registered event type IStreamEvents::outputShutdown as 44
[2022-02-08T20:11:42] DEBUG1: saying hello
[2022-02-08T20:11:42] DEBUG1: registered event type ClientProxyUnknownEvents::success as 45
[2022-02-08T20:11:42] DEBUG1: registered event type ClientProxyUnknownEvents::failure as 46
[2022-02-08T20:11:42] NOTE: new client disconnected
ccoenen commented 2 years ago

I did also generate a new key/cert with the command from the wiki (slightly modified for longer validity):

openssl req -x509 -nodes -days 3650 -subj /CN=Barrier -newkey rsa:4096 -keyout C:\Users\user\AppData\Local\Barrier\SSL\Barrier.pem -out C:\Users\user\AppData\Local\Barrier\SSL\Barrier.pem

Which also did not help.

joshskidmore commented 2 years ago

I just tested a few things.

In full transparency, I recently switched the laptop that was using Waynergy/Sway back to Barrier/xmonad, so I'm not using this actively.

My first thought was to see if there had been Waynergy updates since I last used it, and there were. I updated to the latest release (0.0.9), ran Sway, then ran the same Waynergy command that I mentioned before. It connected without any issues other than wl-clipboard (which I had disabled after moving back to xmonad).

Now that I'm home, my second thought was to try to run a Barrier server on my Windows 10 desktop, then have this same Waynergy/Sway client attempt to connect to it. I setup Barrier as a server, enabled SSL, disabled "Require client certificate" (which I think is off by default), added a single screen for the Waynergy/Sway client, then started the daemon. On the Waynergy/Sway client, I used identical settings, except I switched the host to the IP of the Windows instance. Outside wl-clipboard issues, this worked as well. The version of Barrier I'm using on Windows is 2.4.0-release-3e0d758b / Build Date: Monday, November 1.

Of note, the version of OpenSSL that Windows Barrier is reporting is also OpenSSL 1.0.2l and it's connecting using the AES256-GCM-SHA384 cipher (one that you mentioned overlapped).

Log from the Windows Barrier server

Note: The Waynergy/Sway desktop name is lilbaby and the Windows 10 Barrier server hostname is DESKTOP-0FB7731/100.119.84.38.

[2022-02-08T17:06:47] DEBUG: started process, session=1, elevated: yes, command="C:/Program Files/Barrier/barriers.exe" -f --no-tray --debug DEBUG --name DESKTOP-0FB7731 --ipc --enable-drag-drop --profile-dir "C:\Users\Josh Skidmore\AppData\Local\Barrier" --disable-client-cert-checking -c "C:/Users/Josh Skidmore/AppData/Local/Temp/Barrier.fWXqvG" --address :24800
[2022-02-08T17:07:05] DEBUG: Opening new socket: B5788260
[2022-02-08T17:07:05] INFO: OpenSSL 1.0.2l  25 May 2017
[2022-02-08T17:07:05] INFO: accepted secure socket
[2022-02-08T17:07:05] INFO: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
[2022-02-08T17:07:05] NOTE: accepted client connection
[2022-02-08T17:07:05] ERROR: invalid message from client "lilbaby": CCLP
[2022-02-08T17:07:05] DEBUG: Closing socket: B5788260
[2022-02-08T17:07:05] NOTE: new client disconnected
[2022-02-08T17:07:06] DEBUG: Opening new socket: B579F340
[2022-02-08T17:07:06] INFO: OpenSSL 1.0.2l  25 May 2017
[2022-02-08T17:07:06] INFO: accepted secure socket
[2022-02-08T17:07:06] INFO: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
[2022-02-08T17:07:06] NOTE: accepted client connection
[2022-02-08T17:07:06] DEBUG: ssl connection closed
[2022-02-08T17:07:06] NOTE: new client disconnected
[2022-02-08T17:07:06] DEBUG: Closing socket: B579F340
[2022-02-08T17:07:06] DEBUG: Opening new socket: B579F5E0
[2022-02-08T17:07:06] INFO: OpenSSL 1.0.2l  25 May 2017
[2022-02-08T17:07:06] INFO: accepted secure socket
[2022-02-08T17:07:06] INFO: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
[2022-02-08T17:07:06] NOTE: accepted client connection
[2022-02-08T17:07:06] DEBUG: received client "lilbaby" info shape=0,0 1827x1142 at 0,0
[2022-02-08T17:07:06] DEBUG: active sides: 2
[2022-02-08T17:07:06] NOTE: client "lilbaby" has connected

Log from the Waynergy/Sway client

Note: It was on debug verbosity, so I redacted a couple unnecessary log lines.

/usr/bin/waynergy --loglevel debug --host 100.119.84.38 --name lilbaby --enable-crypto --enable-tofu --fatal-none
...
0.025263090: [DEBUG] Got idle manager
0.025554944: [DEBUG] Mutating output...
0.025573111: [DEBUG] Got output at position 0,0
0.025580995: [DEBUG] Got current mode: 2560x1600@60002
0.025587744: [INFO] Not using preferred mode on output -- check config
...
0.031185610: [INFO] Going to connect to 100.119.84.38 at port 24800
0.358550403: [DEBUG] Section tls not found in INI
0.528657234: [INFO] Trust-on-first-use enabled, saving hash SHA256:11dc2183fafee253ac5f31173a28ea76b5d3307cdd611bf20a6df5c535fdcd91
0.528817105: [INFO] Server is Barrier 1.6
0.528848088: [INFO] Connected as client "lilbaby"
0.528857511: [DEBUG] Accepting
0.528873611: [DEBUG] Accepting
0.528887784: [DEBUG] Clipboard data read for c: 63 bytes
0.528920804: [DEBUG] Clipboard data read for p: 63 bytes
joshskidmore commented 2 years ago

@ccoenen Were you able to get your setup working?

ccoenen commented 2 years ago

No, sadly nothing really changed for me. As soon as I turn on encryption the two just won't connect with the error above.

nonsleepr commented 5 months ago

Reading your comments led me to switch from Barrier to Input Leap which solved the issue for me. While Input Leap project doesn't build their packages, the binary from Github Actions artifacts works.