Opened 10 years ago
Closed 10 years ago
#471 closed Bug / Defect (fixed)
Segfault when starting
Reported by: | laurentl | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.2 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | segfault |
Cc: | Steffan Karger |
Description
Hello,
I use the default openpvpn package from the last Xubuntu 14.10 but i had the problem with the 14.04 too.
Openvpn segfault when starting, i have pasted the openvpn --version below
and attached a backtrace log file
OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on May 2 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no
Attachments (1)
Change History (4)
Changed 10 years ago by
Attachment: | openvpn_segfault2.log added |
---|
comment:1 Changed 10 years ago by
Cc: | Steffan Karger added |
---|
comment:2 Changed 10 years ago by
ok you are right, with --cipher AES-256-CBC it is working !
thanks
comment:3 Changed 10 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
cron2 is correct that this has indeed been fixed in 2.3.5:
$ ./openvpn --config sample-config-files/loopback-server --cipher AES-256-CBC-HMAC-SHA1
Fri Oct 31 13:01:51 2014 OpenVPN 2.3.5 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 31 2014
Fri Oct 31 13:01:51 2014 Cipher algorithm 'AES-256-CBC-HMAC-SHA1' not found (OpenSSL)
Fri Oct 31 13:01:51 2014 Exiting due to fatal error
Just one comment: for now, master (i.e. 2.4) doesn't support the AES-128-CBC-HMAC-SHA1
suite either, and it would not surprise me if we will never support it. Just use cipher AES-128-CBC
and auth SHA1
if you want that configuration (but better, use cipher AES-256-CBC
and auth SHA256
).
Closing this ticket.
I'm fairly sure the error is here: "--cipher AES-256-CBC-HMAC-SHA1" - this is not one of the supported ciphers, *and* it's not symmetric to what the server has (which is required).
It shouldn't crash, of course - OTOH 2.3.2 is 1.5 years old, and lots of things have been changed and fixed in the handling of --cipher - especially this commit here:
commit deff485f85e0eb9502f1ed2cdda2dd41a429fe58
Author: Steffan Karger <steffan@…>
Date: Sun Jun 8 18:16:13 2014 +0200
looks like it's the fix for your issue - this is just an unsupported cipher which breaks things, and 2.3.5 will consequently not allow you to use them until we fully support the API required (which will happen in 2.4.0).
Copying in syzzer so he can double-check that my analysis is right :)