Opened 5 years ago

Closed 4 years ago

#373 closed Bug / Defect (fixed)

--server-poll-timeout crashes with static key config

Reported by: staples1347 Owned by: Samuli Seppänen
Priority: minor Milestone: release 2.3.7
Component: Generic / unclassified Version: OpenVPN 2.3.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


OpenVPN clients crash when --server-poll-timeout is used with a static key config. It crashes in check_server_poll_timeout_dowork (forward.c:334) which is "if (!tls_initial_packet_received (c->c2.tls_multi))". Valgrind reports the following (on 64-bit Linux custom compiled version of OpenVPN with debugging enabled), but the crash also occurs on Windows and Android versions of OpenVPN):
==9862== Process terminating with default action of signal 11 (SIGSEGV)
==9862== Access not within mapped region at address 0x208
==9862== at 0x412952: check_server_poll_timeout_dowork (forward.c:334)
==9862== by 0x41543E: pre_select (forward-inline.h:130)
==9862== by 0x433C2D: openvpn_main (openvpn.c:80)
==9862== by 0x58BD60C: (below main) (in /lib64/

Here is an example client config that causes OpenVPN to crash:
dev tun
proto udp
remote <remoteserver> <remoteport>
server-poll-timeout 5
resolv-retry infinite
ping 15
ping-restart 45
ifconfig <localip> <remoteip>
secret <secretkeyfile> 1

Change History (7)

comment:1 Changed 4 years ago by Samuli Seppänen

Milestone: release 2.3.6
Owner: set to Samuli Seppänen
Status: newassigned

I think this is expected behavior. Using static keys implies peer to peer, which is why any features that depend on asymmetrical client-server relationship will not work. I think it makes sense to explicitly mention this on the man-page in the "--secret" section.

comment:2 Changed 4 years ago by Samuli Seppänen

Correction: the crash is definitely not expected behavior, but "--secret" not working with "--server-poll-timeout" is.

comment:3 Changed 4 years ago by Gert Döring

Milestone: release 2.3.6release 2.3.7

comment:4 Changed 4 years ago by Samuli Seppänen

I'll check if I've provided a patch to fix the man-page. If not, I'll provide one.

comment:5 Changed 4 years ago by Samuli Seppänen

It seems the man-page does not yet have this information. I will send a patch soon.

comment:6 Changed 4 years ago by Gert Döring

Patch is on the list, (both code and documentation).

comment:7 Changed 4 years ago by Gert Döring

Resolution: fixed
Status: assignedclosed

commit 6478c1f359e6b0ea2046d9e2801830753e53c06a (master)
commit 7895590cf1f513f508132f8987fee8fef2759df7 (release/2.3)

Author: Gert Doering
Date: Sun May 24 15:02:34 2015 +0200

Disallow usage of --server-poll-timeout in --secret key mode.

The internal machinery wants TLS for this to work, so just add this
to the (long) list of options not allowed unless either --tls-client
or --tls-server is active. For added sanity, add an ASSERT() call
to the place where this combination caused a NULL ptr reference, and
document the restriction.

... which will be in 2.4 and the upcoming 2.3.7 release.

So, I think this is done :-)

Note: See TracTickets for help on using tickets.