#502 closed Bug / Defect (fixed)
SSL3_GET_RECORD:bad decompression
Reported by: | Anton B | Owned by: | Steffan Karger |
---|---|---|---|
Priority: | major | Milestone: | release 2.3.7 |
Component: | Generic / unclassified | Version: | OpenVPN 2.2.2 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
I'm facing a problem with Netgear R7000 router. There are multiple reports about the same problem under different OS. For example, here:
http://forum1.netgear.com/showthread.php?t=90147
Netgear is running outdated software:
OpenSSL 1.0.0g 18 Jan 2012
Zlib-1.2.7
The client side software:
openssl-1.0.1k
openvpn-2.3.6
zlib-1.2.8 (compression library)
I have opened a bug report at netgear and they might fix it.
However, the root of the problem seems can be fixed in OpenVPN.
Here is the log file on the client site:
Tue Jan 13 09:39:56 2015 us=336194 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@…
Tue Jan 13 09:39:56 2015 us=336439 VERIFY OK: depth=0, C=TW, ST=TW, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@…
Tue Jan 13 09:39:56 2015 us=416665 TLS_ERROR: BIO read tls_read_plaintext error: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression
Tue Jan 13 09:39:56 2015 us=416728 TLS Error: TLS object -> incoming plaintext read error
Tue Jan 13 09:39:56 2015 us=416748 TLS Error: TLS handshake failed
Tue Jan 13 09:39:56 2015 us=416962 TCP/UDP: Closing socket
Tue Jan 13 09:39:56 2015 us=417004 SIGUSR1[soft,tls-error] received, process restarting
The best explanation is probably given by nginx guys:
http://forum.nginx.org/read.php?2,226705,226754#msg-226754
It is a compatability issue of different versions.
There are also patches for different software. For example:
https://github.com/goochjj/pound/commit/a0c52c542ca9620a96750f9877b26bf4c84aef1b.diff
https://svn.apache.org/repos/asf/tomcat/native/trunk/native/src/ssl.c
I've patched OpenVPN similarly and the problem has gone.
The patch is attached to this bug report
Attachments (1)
Change History (8)
comment:1 Changed 9 years ago by
Owner: | set to Steffan Karger |
---|---|
Status: | new → assigned |
Something for you to ponder...
comment:2 Changed 9 years ago by
Actually, we might even want to disable SSL compression all together. The TLS channel is a low bandwidth channel anyway, and SSL compression has caused a number of security issues for HTTPS (note: but not for openvpn, since it is much harder to get user controlled data into the openvpn control channel).
Either way, thanks for the clear report and patch. I will come back to this.
comment:3 Changed 9 years ago by
(Your Trac UI is not clear to me -- hopefully commenting will put me on the CC list.)
comment:4 Changed 9 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Patches have been applied to the master and release/2.3 branches. The next release will disable SSL compression unconditionally.
comment:5 Changed 9 years ago by
Milestone: | → release 2.3.7 |
---|
comment:6 Changed 9 years ago by
Can you please link to the commits? Or will 2.3.7 be released quite soon?
comment:7 Changed 9 years ago by
commit 5d5233778868ddd568140c394adfcfc8e3453245 (master)
commit 5b46cf43432e69bb55747830494f613115a2af0c (release/2.3)
Author: Steffan Karger
Date: Sun Feb 15 15:24:26 2015 +0100
Disable SSL compression
I'd expect 2.3.7 in the next 2-3 weeks or so, depends a bit on how long it takes to go through the other open bugs and fix what should be in there.