Opened 13 years ago
Closed 11 years ago
#168 closed Bug / Defect (duplicate)
Cipher block modes other than CBC fail with error "Assertion failed at crypto.c:161"
Reported by: | ard | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Crypto | Version: | OpenVPN 2.2.0 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | CFB OFB cipher block assertion |
Cc: |
Description
Using a cipher algorithm with any cipher block modes other than CBC results in error "Assertion failed at crypto.c:161" shortly after connection is established. The connection is aborted. This happens both with TLS and with shared secret modes. Thus, only CBC mode is functional for OpenVPN currently.
This has been tested on a CentOS 5.7 box running rpmforge's openvpn-2.2.0-3.el5.rf package both as a server and client. This problem has also been seen using that server with a Windows XP client running the official openvpn-2.2.1-install.exe binary. The error message appears both on the server and the client. (In my tests, usually the client is the first to abort with it, and then the server will do the same).
This is very easy to test with the provided sample keys and configurations. Shared secret operations can be tested with:
openvpn --test-crypto --secret sample-keys/ta.key --cipher $CIPHER
TLS operation can be tested with:
openvpn --config sample-config-files/loopback-client --cipher $CIPHER &
openvpn --config sample-config-files/loopback-server --cipher $CIPHER
Of course, here the CIPHER environment variable should contain the cipher name to be tested, and this should be repeated over all of the ciphers reported by openvpn --show-ciphers .
Attachments (1)
Change History (3)
Changed 13 years ago by
Attachment: | test-bug-168.sh added |
---|
comment:1 Changed 13 years ago by
This seems the same as bug #89. https://community.openvpn.net/openvpn/ticket/89
comment:2 Changed 11 years ago by
Resolution: | → duplicate |
---|---|
Status: | new → closed |
Closing as a duplicate of ticket #89.
Script that automatically tests this bug for all cipher block modes.