Opened 3 years ago

Closed 3 years ago

#924 closed Bug / Defect (fixed)

OpenVPN 2.4.3 fails when configured with keysize 384

Reported by: deepaktom Owned by: Steffan Karger
Priority: major Milestone: release 2.4.4
Component: Generic / unclassified Version: OpenVPN 2.4.3 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

After upgrade OVPN to v2.4.3 on client and server, when the dameon is started it kills the OpenVPN server.
It appears that the parameter "keysize 384" configured on OVPN clients and Server is causing it, if we change it to "keysize 256" it works.
Below are the logs of Openvpn Server, I had indicated the line with the error.

ovpn_server logs:
Wed Aug 2 21:59:04 2017 10.1.1.172:55208 [ovpn_client01.com] Peer Connection Initiated with [AF_INET]10.1.1.172:55208
Wed Aug 2 21:59:04 2017 ovpn_client01.com/10.1.1.172:55208 OPTIONS IMPORT: reading client specific options from: ccd/ovpn_client01.com
Wed Aug 2 21:59:04 2017 ovpn_client01.com/10.1.1.172:55208 MULTI: Learn: 198.18.121.22 -> ovpn_client01.com/10.1.1.172:55208
Wed Aug 2 21:59:04 2017 ovpn_client01.com/10.1.1.172:55208 MULTI: primary virtual IP for ovpn_client01.com/10.1.1.172:55208: 198.18.121.22
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 PUSH: Received control message: 'PUSH_REQUEST'
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 SENT CONTROL [ovpn_client01.com]: 'PUSH_REPLY,route 198.18.121.1,topology net30,ping 14,ping-restart 120,route 198.18.254.0 255.255.254.0,ifconfig 198.18.121.22 198.18.121.1,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 Data Channel: using negotiated cipher 'AES-256-GCM'

Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 OpenSSL: error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length <<<----------- ERROR ------------------

Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 EVP set key size
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 Exiting due to fatal error <<<------ ERROR on server killing the daemon
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 /sbin/ip route del 198.18.121.0/24
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 Closing TUN/TAP interface
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 /sbin/ip addr del dev tun0 local 198.18.121.1 peer 198.18.121.2

OpenVPN packages on the servers:
[@ovpn_server01 ~]# rpm -qa |grep -Ei 'pkcs|vpn|openssl'
openssl-1.0.1e-57.el6.x86_64
pkcs11-helper-1.11-3.el6.x86_64
pyOpenSSL-0.13.1-2.el6.x86_64
openssl098e-0.9.8e-20.el6_7.1.x86_64
openvpn-2.4.3-1.el6.x86_64

[@ovpn_client01.com ~]$ rpm -qa |grep -Ei 'pkcs|vpn|openssl'
pyOpenSSL-0.13.1-2.el6.x86_64
openvpn-2.4.3-1.el6.x86_64
openssl-1.0.1e-57.el6.x86_64
pkcs11-helper-1.11-3.el6.x86_64

Version-Release number of selected component (if applicable):

openvpn-2.4.3-1.el6.x86_64

How reproducible:

  1. Upgrade to openvpn-2.4.3-1.el6.x86_64 configure the OpenVPN
  2. Configure openvpn server and client with "keysize 384" on openvpn

#######################################
OpenVPN SERVER Configuration file:
server 198.18.121.0 255.255.255.0
local 10.1.1.166
#server

dev tun
#topology subnet
#tun-mtu 1000
proto tcp
port 443
status /var/log/openvpn/openvpn_server-443_status.log 60
status-version 1
management 127.0.0.1 9090
log-append /var/log/openvpn/openvpn_server-443.log
verb 3
tls-server
keysize 384
auth SHA256
tls-version-min 1.2
tls-cipher "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"

dh /etc/openvpn/pki/dh2048.pem
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/openvpn_server.crt
key /etc/openvpn/pki/openvpn_server.key # This file should be kept secret

keepalive 14 120

client-config-dir ccd

#######################################
OpenVPN CLIENT Configuration File:
client
dev tun
proto tcp

# Define OpenVPN Servers here
# remote $OVPN_IP 443
# remote $OVPN2_IP 443
remote 10.1.1.166 443

nobind

ca pki/ca.crt
cert pki/openvpn_client.com.crt
key pki/openvpn_client.com.key

ns-cert-type server
status /var/log/openvpn_client-openvpn-status.log 300
status-version 1
log-append /var/log/openvpn_client-openvpn.log
verb 3
tls-client
keysize 384
auth SHA256
tls-version-min 1.2
tls-cipher "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"

keepalive 14 120
nice -1

Actual results:
After starting the daemon on client, it crash the OVPN daemon on server side.

Expected results:
An openvpn connection enclosure between the client and server with a strong cipher

Additional info:
If the client runs at OVPN v2.3.x and server v2.4.3 it connects fine even with "keysize 384".

Change History (4)

comment:1 Changed 3 years ago by Steffan Karger

Milestone: release 2.4.3release 2.4.4
Resolution: duplicate
Status: newclosed

Thanks for reporting. This is a duplicate of #904 though, and is already fixed in the release/2.4 branch. The fix will be included in OpenVPN 2.4.4.

comment:2 Changed 3 years ago by Steffan Karger

Resolution: duplicate
Status: closedreopened

Apologies, this is not the same bug as #904, but I did send a patch to fix this issue to the list for review:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15110.html

Still awaiting review, but I'm hopeful that it will make 2.4.4.

If you are in the position to test the patch, any results are very welcome.

comment:3 Changed 3 years ago by Steffan Karger

Owner: set to Steffan Karger
Status: reopenedaccepted

comment:4 Changed 3 years ago by Steffan Karger

Resolution: fixed
Status: acceptedclosed

Fix was applied in git in Aug 2017, and is part of OpenVPN 2.4.4:

commit 956bb1c32fa40ee184919b3ce569c90643a01b5b (master)
commit 6f616aa6b7570db965b8eee1d8b8d182af4bb05f (release/2.4)
Author: Steffan Karger
Date: Thu Jul 20 19:55:57 2017 +0200

Always use default keysize for NCP'd ciphers

Signed-off-by: Steffan Karger <stef...@…>
Acked-by: David Sommerseth <dav...@…>
Message-Id: <1500573357-20496-1-git-send-email-stef...@…>
URL:

https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15110.html

Signed-off-by: David Sommerseth <dav...@…>

Note: See TracTickets for help on using tickets.