#683 closed Bug / Defect (fixed)
openvpn 2.3.11 does not start up
| Reported by: | cudiaco | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.3.12 |
| Component: | Generic / unclassified | Version: | OpenVPN 2.3.11 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | server, startup, failing |
| Cc: | alimakki@…, Steffan Karger |
Description
Recently tried upgrading my server to the 2.3.11 release:
./configure --with-crypto-library=polarssl
make
make install
which works fine:
openvpn --version OpenVPN 2.3.11 x86_64-unknown-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 17 2016 library versions: PolarSSL 1.3.16, LZO 2.06 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=polarssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
However when starting up OpenVPN it silently fails.
Tried to run it through gdb:
db --args /usr/sbin/openvpn --mode server --tls-server --multihome --port 8757 --proto udp --dev tun --up "/etc/openvp n/scripts/runme.sh" --client-to-client --persist-key --persist-tun --ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt --cert /etc/openvpn/easy-rsa/2.0/keys/server.cr t --key /etc/openvpn/easy-rsa/2.0/keys/server.key --dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem --tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0 --cipher AES-128-CBC --auth SHA256 --comp-lzo --server 10.9.0.0 255.255.255.0 --push "topology subnet" --push "dhcp-option DNS 8.8.8.8" --push push "dhcp-option DNS 8 .8.4.4" --max-clients 40 --user nobody --group nobody --keepalive 10 120 --status /etc/openvpn/log/faster-status.log --log /etc/openvpn/log/faster.log --verb 4 --mute 20 GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/sbin/openvpn...(no debugging symbols found)...done. (gdb) run Starting program: /usr/sbin/openvpn --mode server --tls-server --multihome --port 8757 --proto udp --dev tun --up /etc/openvpn/scripts/runme.sh --client-to-client --persist-key --persist-tun --ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt --cert /etc/openvpn/easy-rsa/2.0/keys/server.crt --key /etc/openvpn/easy-rsa/2.0/keys/server.key --dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem --tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0 --cipher AES-128-CBC --auth SHA256 --comp-lzo --server 10.9.0.0 255.255.255.0 --push topology\ subnet --push dhcp-option\ DNS\ 8.8.8.8 --push push dhcp-option\ DNS\ 8.8.4.4 --max-clients 40 --user nobody --group nobody --keepalive 10 120 --status /etc/openvpn/log/faster-status.log --log /etc/openvpn/log/faster.log --verb 4 --mute 20 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [Inferior 1 (process 4116) exited with code 01] (gdb) quit
Rolling back to the 2.3.10 release (compiled with the same PolarSSL version) worked fine.
Attachments (2)
Change History (4)
Changed 4 years ago by
| Attachment: | server-fast.conf added |
|---|
comment:1 Changed 4 years ago by
| Cc: | Steffan Karger added |
|---|---|
| Milestone: | release 2.3.11 → release 2.3.12 |
| Resolution: | → fixed |
| Status: | new → closed |
2.3.11 with polarssl is broken unless "--tls-cipher <list of ciphers>" is used. We noticed after release that one of the hardening patches had a side effect in 2.3 because a check present in master wasn't there yet. Apologies.
Patch is already in tree:
commit 629baad8f89af261445a2ace03694601f8e476f9
Author: Steffan Karger <steffan@…>
Date: Fri May 13 08:54:52 2016 +0200
Fix polarssl / mbedtls builds
Commit 8a399cd3 hardened the OpenSSL default cipher list,
but also introduced a change in shared code that causes
polarssl / mbedtls builds to break when no --tls-cipher is
specified.
This fix is backported code from the master branch.
Signed-off-by: Steffan Karger <steffan@…>
Acked-by: Gert Doering <gert@…>
Message-Id: <1463122492-701-1-git-send-email-steffan@…>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11647
... and will be released as part of 2.3.12 this week.
I'm closing this ticket (as the bugfix is already in tree).
comment:2 Changed 4 years ago by
| Version: | git master branch → 2.3.11 |
|---|
udp server config