TLS negotiation times out with ProtonVPN

[keeshux]

Started with BoringSSL in TunnelKit.

[keeshux]

From a client perspective, behavior is equal to e.g. when server expects a client certificate and client doesn't specify one. In that case, server stops responding from the very same point, i.e. when TLS handshake starts (right after HARD_RESET).

This is what happens on the server in that scenario:

2021-11-22 09:31:27 us=7187 90.166.54.153:23086 OpenSSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
2021-11-22 09:31:27 us=7328 90.166.54.153:23086 TLS_ERROR: BIO read tls_read_plaintext error
2021-11-22 09:31:27 us=7466 90.166.54.153:23086 TLS Error: TLS object -> incoming plaintext read error
2021-11-22 09:31:27 us=7581 90.166.54.153:23086 TLS Error: TLS handshake failed
2021-11-22 09:31:27 us=7781 90.166.54.153:23086 SIGUSR1[soft,tls-error] received, client-instance restarting

Worth noting that NordVPN, like ProtonVPN, also has a tls-auth option w/o client certificates. Nevertheless, NordVPN doesn't have this issue. Tested a similar configuration successfully on personal server too.

All in all, this used to work with an OpenSSL client. TLS may fail for plenty of reasons unknown without looking at the server logs.