Opened 8 years ago

Closed 8 years ago

Last modified 6 years ago

#206 closed Bug / Defect (duplicate)

--tls-server does not work together with --float

Reported by: seb Owned by:
Priority: major Milestone:
Component: Certificates Version: OpenVPN 2.2.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: float tls
Cc:

Description

After the client gets a new IP, he's not able to communicate until ping-restart timeout when using tls-server/tls-client.

Scenario:

  • A server with a static IP
  • A client with a dynamic IP

Tested with 2.2.2

Log:
[...]
Wed May 2 15:16:22 2012 us=925612 [ford.[domain]] Peer Connection Initiated with 87.78.239.81:50101
Wed May 2 15:16:23 2012 us=18604 Initialization Sequence Completed

[redial, new IP address]

Wed May 2 15:16:37 2012 us=24975 TLS Error: local/remote TLS keys are out of sync: 87.78.237.54:50101 [0]
Wed May 2 15:16:38 2012 us=23629 TLS Error: local/remote TLS keys are out of sync: 87.78.237.54:50101 [0]
Wed May 2 15:16:39 2012 us=24576 TLS Error: local/remote TLS keys are out of sync: 87.78.237.54:50101 [0]
Wed May 2 15:16:40 2012 us=24436 TLS Error: local/remote TLS keys are out of sync: 87.78.237.54:50101 [0]
Wed May 2 15:16:41 2012 us=23111 TLS Error: local/remote TLS keys are out of sync: 87.78.237.54:50101 [0]
Wed May 2 15:16:42 2012 us=22823 TLS Error: local/remote TLS keys are out of sync: 87.78.237.54:50101 [0]

It seems that either

  • the check link_socket_actual_match (from, &ks->remote_addr) in ssl.c, function tls_pre_decrypt line 4633 must only be done when not using float

or

  • code for re-negotiating tls keys when a client changes it's IP is missing

Configs

server:

local [serverip]
lport 50001
ping 5
ping-restart 30
dev tun-ford
tun-ipv6
persist-tun
ifconfig 10.10.254.101 192.168.254.1
mlock
passtos
tun-ipv6
comp-lzo
float
tls-server
ca ca.crt
dh dh2048.pem
cert asterix.[domain].crt
key asterix.[domain].key
tls-auth tls-auth.key 0
tls-remote ford.[domain]

client:
remote [serverip] 50001
lport 50101
ping 5
ping-restart 30
dev tun-asterix
tun-ipv6
persist-tun
ifconfig 192.168.254.1 10.10.254.101
up /etc/openvpn/auto_asterix.up
script-security 2
mlock
passtos
comp-lzo
tls-client
ca ca.crt
dh dh2048.pem
cert ford.[domain].crt
key ford.[domain].key
tls-auth tls-auth.key 1
tls-remote asterix.[domain]

Change History (3)

comment:1 Changed 8 years ago by Eric Crist

Resolution: duplicate
Status: newclosed

This is a duplicate of ticket #49, but I'll point that ticket here, as this is better debugging information.

comment:2 Changed 8 years ago by siemer

@seb: do you have a patch for this, or is it really that easy to do (remove the function call)?

How do I put my email on the watchlist of this bug???

comment:3 Changed 6 years ago by seb

Hello ecrist,

I don't think it's a duplicate. This here is not in "server" mode (as in the other ticket).

So it's a real bug (float does not work as expected) and not a feature request as stated in Ticket 49.

Seb

Note: See TracTickets for help on using tickets.