Opened 6 years ago

Closed 6 years ago

#471 closed Bug / Defect (fixed)

Segfault when starting

Reported by: laurentl Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: segfault
Cc: Steffan Karger



I use the default openpvpn package from the last Xubuntu 14.10 but i had the problem with the 14.04 too.

Openvpn segfault when starting, i have pasted the openvpn --version below
and attached a backtrace log file

OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on May 2 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no

Attachments (1)

openvpn_segfault2.log (4.5 KB) - added by laurentl 6 years ago.

Download all attachments as: .zip

Change History (4)

Changed 6 years ago by laurentl

Attachment: openvpn_segfault2.log added

comment:1 Changed 6 years ago by Gert Döring

Cc: Steffan Karger added

I'm fairly sure the error is here: "--cipher AES-256-CBC-HMAC-SHA1" - this is not one of the supported ciphers, *and* it's not symmetric to what the server has (which is required).

It shouldn't crash, of course - OTOH 2.3.2 is 1.5 years old, and lots of things have been changed and fixed in the handling of --cipher - especially this commit here:

commit deff485f85e0eb9502f1ed2cdda2dd41a429fe58
Author: Steffan Karger <steffan@…>
Date: Sun Jun 8 18:16:13 2014 +0200

Add proper check for crypto modes (CBC or OFB/CFB)

OpenSSL has added AEAD-CBC mode ciphers like AES-128-CBC-HMAC-SHA1, which
have mode EVP_CIPH_CBC_MODE, but require a different API (the AEAD API).
So, add extra checks to filter out those AEAD-mode ciphers.

looks like it's the fix for your issue - this is just an unsupported cipher which breaks things, and 2.3.5 will consequently not allow you to use them until we fully support the API required (which will happen in 2.4.0).

Copying in syzzer so he can double-check that my analysis is right :)

comment:2 Changed 6 years ago by laurentl

ok you are right, with --cipher AES-256-CBC it is working !


comment:3 Changed 6 years ago by Steffan Karger

Resolution: fixed
Status: newclosed

cron2 is correct that this has indeed been fixed in 2.3.5:

$ ./openvpn --config sample-config-files/loopback-server --cipher AES-256-CBC-HMAC-SHA1
Fri Oct 31 13:01:51 2014 OpenVPN 2.3.5 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 31 2014
Fri Oct 31 13:01:51 2014 Cipher algorithm 'AES-256-CBC-HMAC-SHA1' not found (OpenSSL)
Fri Oct 31 13:01:51 2014 Exiting due to fatal error

Just one comment: for now, master (i.e. 2.4) doesn't support the AES-128-CBC-HMAC-SHA1 suite either, and it would not surprise me if we will never support it. Just use cipher AES-128-CBC and auth SHA1 if you want that configuration (but better, use cipher AES-256-CBC and auth SHA256).

Closing this ticket.

Note: See TracTickets for help on using tickets.