Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#502 closed Bug / Defect (fixed)

SSL3_GET_RECORD:bad decompression

Reported by: Anton B Owned by: Steffan Karger
Priority: major Milestone: release 2.3.7
Component: Generic / unclassified Version: OpenVPN 2.2.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

I'm facing a problem with Netgear R7000 router. There are multiple reports about the same problem under different OS. For example, here:
http://forum1.netgear.com/showthread.php?t=90147

Netgear is running outdated software:
OpenSSL 1.0.0g 18 Jan 2012
Zlib-1.2.7

The client side software:
openssl-1.0.1k
openvpn-2.3.6
zlib-1.2.8 (compression library)

I have opened a bug report at netgear and they might fix it.

However, the root of the problem seems can be fixed in OpenVPN.
Here is the log file on the client site:

Tue Jan 13 09:39:56 2015 us=336194 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@…
Tue Jan 13 09:39:56 2015 us=336439 VERIFY OK: depth=0, C=TW, ST=TW, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@…
Tue Jan 13 09:39:56 2015 us=416665 TLS_ERROR: BIO read tls_read_plaintext error: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression
Tue Jan 13 09:39:56 2015 us=416728 TLS Error: TLS object -> incoming plaintext read error
Tue Jan 13 09:39:56 2015 us=416748 TLS Error: TLS handshake failed
Tue Jan 13 09:39:56 2015 us=416962 TCP/UDP: Closing socket
Tue Jan 13 09:39:56 2015 us=417004 SIGUSR1[soft,tls-error] received, process restarting

The best explanation is probably given by nginx guys:
http://forum.nginx.org/read.php?2,226705,226754#msg-226754

It is a compatability issue of different versions.

There are also patches for different software. For example:
https://github.com/goochjj/pound/commit/a0c52c542ca9620a96750f9877b26bf4c84aef1b.diff
https://svn.apache.org/repos/asf/tomcat/native/trunk/native/src/ssl.c

I've patched OpenVPN similarly and the problem has gone.

The patch is attached to this bug report

Attachments (1)

openvpn-ssl_compression.patch (480 bytes) - added by Anton B 6 years ago.
Disabling SSL Compression optionally

Download all attachments as: .zip

Change History (8)

Changed 6 years ago by Anton B

Disabling SSL Compression optionally

comment:1 Changed 6 years ago by Gert Döring

Owner: set to Steffan Karger
Status: newassigned

Something for you to ponder...

comment:2 Changed 6 years ago by Steffan Karger

Actually, we might even want to disable SSL compression all together. The TLS channel is a low bandwidth channel anyway, and SSL compression has caused a number of security issues for HTTPS (note: but not for openvpn, since it is much harder to get user controlled data into the openvpn control channel).

Either way, thanks for the clear report and patch. I will come back to this.

comment:3 Changed 6 years ago by Dirkjan Ochtman

(Your Trac UI is not clear to me -- hopefully commenting will put me on the CC list.)

comment:4 Changed 6 years ago by Steffan Karger

Resolution: fixed
Status: assignedclosed

Patches have been applied to the master and release/2.3 branches. The next release will disable SSL compression unconditionally.

comment:5 Changed 6 years ago by Steffan Karger

Milestone: release 2.3.7

comment:6 Changed 6 years ago by Dirkjan Ochtman

Can you please link to the commits? Or will 2.3.7 be released quite soon?

comment:7 Changed 6 years ago by Gert Döring

commit 5d5233778868ddd568140c394adfcfc8e3453245 (master)
commit 5b46cf43432e69bb55747830494f613115a2af0c (release/2.3)

Author: Steffan Karger
Date: Sun Feb 15 15:24:26 2015 +0100

Disable SSL compression

I'd expect 2.3.7 in the next 2-3 weeks or so, depends a bit on how long it takes to go through the other open bugs and fix what should be in there.

Note: See TracTickets for help on using tickets.