Opened 10 years ago
Closed 9 years ago
#373 closed Bug / Defect (fixed)
--server-poll-timeout crashes with static key config
| Reported by: | staples1347 | Owned by: | Samuli Seppänen |
|---|---|---|---|
| Priority: | minor | Milestone: | release 2.3.7 |
| Component: | Generic / unclassified | Version: | OpenVPN 2.3.2 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
OpenVPN clients crash when --server-poll-timeout is used with a static key config. It crashes in check_server_poll_timeout_dowork (forward.c:334) which is "if (!tls_initial_packet_received (c->c2.tls_multi))". Valgrind reports the following (on 64-bit Linux custom compiled version of OpenVPN with debugging enabled), but the crash also occurs on Windows and Android versions of OpenVPN):
==9862== Process terminating with default action of signal 11 (SIGSEGV)
==9862== Access not within mapped region at address 0x208
==9862== at 0x412952: check_server_poll_timeout_dowork (forward.c:334)
==9862== by 0x41543E: pre_select (forward-inline.h:130)
==9862== by 0x433C2D: openvpn_main (openvpn.c:80)
==9862== by 0x58BD60C: (below main) (in /lib64/libc-2.15.so)
Here is an example client config that causes OpenVPN to crash:
dev tun
proto udp
remote <remoteserver> <remoteport>
server-poll-timeout 5
resolv-retry infinite
nobind
persist-key
persist-tun
ping 15
ping-restart 45
persist-tun
persist-key
ifconfig <localip> <remoteip>
secret <secretkeyfile> 1
Change History (7)
comment:1 Changed 9 years ago by
| Milestone: | → release 2.3.6 |
|---|---|
| Owner: | set to Samuli Seppänen |
| Status: | new → assigned |
comment:2 Changed 9 years ago by
Correction: the crash is definitely not expected behavior, but "--secret" not working with "--server-poll-timeout" is.
comment:3 Changed 9 years ago by
| Milestone: | release 2.3.6 → release 2.3.7 |
|---|
comment:4 Changed 9 years ago by
I'll check if I've provided a patch to fix the man-page. If not, I'll provide one.
comment:5 Changed 9 years ago by
It seems the man-page does not yet have this information. I will send a patch soon.
comment:6 Changed 9 years ago by
Patch is on the list, http://article.gmane.org/gmane.network.openvpn.devel/9736 (both code and documentation).
comment:7 Changed 9 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
commit 6478c1f359e6b0ea2046d9e2801830753e53c06a (master)
commit 7895590cf1f513f508132f8987fee8fef2759df7 (release/2.3)
Author: Gert Doering
Date: Sun May 24 15:02:34 2015 +0200
Disallow usage of --server-poll-timeout in --secret key mode.
The internal machinery wants TLS for this to work, so just add this
to the (long) list of options not allowed unless either --tls-client
or --tls-server is active. For added sanity, add an ASSERT() call
to the place where this combination caused a NULL ptr reference, and
document the restriction.
... which will be in 2.4 and the upcoming 2.3.7 release.
So, I think this is done :-)
I think this is expected behavior. Using static keys implies peer to peer, which is why any features that depend on asymmetrical client-server relationship will not work. I think it makes sense to explicitly mention this on the man-page in the "--secret" section.