Cipher block modes other than CBC fail with error "Assertion failed at crypto.c:161"
|Reported by:||ard||Owned by:|
|Severity:||Not set (if unsure, select this one)||Keywords:||CFB OFB cipher block assertion|
Using a cipher algorithm with any cipher block modes other than CBC results in error "Assertion failed at crypto.c:161" shortly after connection is established. The connection is aborted. This happens both with TLS and with shared secret modes. Thus, only CBC mode is functional for OpenVPN currently.
This has been tested on a CentOS 5.7 box running rpmforge's openvpn-2.2.0-3.el5.rf package both as a server and client. This problem has also been seen using that server with a Windows XP client running the official openvpn-2.2.1-install.exe binary. The error message appears both on the server and the client. (In my tests, usually the client is the first to abort with it, and then the server will do the same).
This is very easy to test with the provided sample keys and configurations. Shared secret operations can be tested with:
openvpn --test-crypto --secret sample-keys/ta.key --cipher $CIPHER
TLS operation can be tested with:
openvpn --config sample-config-files/loopback-client --cipher $CIPHER &
openvpn --config sample-config-files/loopback-server --cipher $CIPHER
Of course, here the CIPHER environment variable should contain the cipher name to be tested, and this should be repeated over all of the ciphers reported by openvpn --show-ciphers .