[Pkg-openssl-devel] Bug#604723: Bug#604723: libssl0.9.8: 0.9.8g-15+lenny9 breaks existing openvpn tunnel with cipher AES-128-CBC

Wed Nov 24 08:10:43 UTC 2010

On 11/23/2010 09:58 PM, Kurt Roeckx wrote:
> notfound 604723 0.9.8g-15+lenny6
> found 604723 0.9.8g-15+lenny9
> thanks
>
> On Tue, Nov 23, 2010 at 08:58:02PM +0100, Martin Burman wrote:
>> Package: libssl0.9.8
>> Version: 0.9.8g-15+lenny6
>> Severity: important
>>
>> After apply the latest patches my openvpn tunnel broke down.
>> Downgrading to cipher 0.9.8g-15+lenny6 (my previous version) brought the tunnel up again.
>> Openvpn did start ok, interface went up, logs stated "connected to peer" but the tunnel was non-functional.
>>
>> I have production state on this tunnel so I had lack of time in investigating underlying causes.
>> If you provide me with your wishes I can do tests under controlled circumstances.
> Do the logs indicate any kind of error message?
>
> Can you try exactly which version broke things?  Can you for
> instance try if 0.9.8g-15+lenny8 still works?
>
> I've tried this with 0.9.8o-3 which has the same patch as
> 0.9.8g-15+lenny9, and it still works for me.
>
> I can also try this with a lenny based system, but I'm not going
> to try this this late in the evening.
>
>
> Kurt
>
>
>
>
Hi Kurt,

I just tested with libssl0.9.8_0.9.8g-15+lenny8_i386.deb and it works fine.

just to be clear: I buy this tunnel as a service from an ISP to obtain a 
public, fixed ip address.
I have no control about the config and I have ignored the WARNING in the 
bottom of the success log because the openvpn.conf was created by the ISP.

I interpret the Warning as interface is brought up correctly and the 
server (my peer) is sending a somewhat misconfigured route.
An error but it indicates a fully established tunnel.

tunnel fail:
Nov 23 19:21:57 decent ovpn-openvpn[2108]: OpenVPN 2.1_rc11 
i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Nov 23 19:21:57 decent ovpn-openvpn[2108]: /usr/sbin/openvpn-vulnkey -q 
keyfile.key
Nov 23 19:21:58 decent ovpn-openvpn[2108]: WARNING: file 'keyfile.key' 
is group or others accessible
Nov 23 19:21:58 decent ovpn-openvpn[2108]: LZO compression initialized
Nov 23 19:21:58 decent ovpn-openvpn[2108]: TUN/TAP device tap0 opened
Nov 23 19:21:58 decent ovpn-openvpn[2108]: /sbin/ifconfig tap0 A.B.C.D 
netmask 255.255.255.0 mtu 1500 broadcast A.B.C.FF
Nov 23 19:21:58 decent ovpn-openvpn[2122]: UDPv4 link local (bound): 
[undef]:5094
Nov 23 19:21:58 decent ovpn-openvpn[2122]: UDPv4 link remote: E.F.G.H:5094
Nov 23 19:21:58 decent ovpn-openvpn[2122]: Peer Connection Initiated 
with E.F.G.H:5094
Nov 23 19:21:59 decent ovpn-openvpn[2122]: Initialization Sequence Completed

tunnel success:
Nov 23 20:21:20 decent ovpn-openvpn[2171]: OpenVPN 2.1_rc11 
i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Nov 23 20:21:20 decent ovpn-openvpn[2171]: /usr/sbin/openvpn-vulnkey -q 
keyfile.key
Nov 23 20:21:21 decent ovpn-openvpn[2171]: WARNING: file 'keyfile.key' 
is group or others accessible
Nov 23 20:21:21 decent ovpn-openvpn[2171]: LZO compression initialized
Nov 23 20:21:21 decent ovpn-openvpn[2171]: TUN/TAP device tap0 opened
Nov 23 20:21:21 decent ovpn-openvpn[2171]: /sbin/ifconfig tap0 A.B.C.D 
netmask 255.255.255.0 mtu 1500 broadcast A.B.C.FF
Nov 23 20:21:21 decent ovpn-openvpn[2186]: UDPv4 link local (bound): 
[undef]:5094
Nov 23 20:21:21 decent ovpn-openvpn[2186]: UDPv4 link remote: E.F.G.H:5094
Nov 23 20:21:22 decent ovpn-openvpn[2186]: Peer Connection Initiated 
with E.F.G.H:5094
Nov 23 20:21:22 decent ovpn-openvpn[2186]: Initialization Sequence Completed
Nov 23 20:21:31 decent ovpn-openvpn[2186]: WARNING: 'ifconfig' is used 
inconsistently, local='ifconfig A.B.C.0 255.255.255.0', remote='ifconfig 
A.B.C.0 255.255.255.128'

Anonymized version of my client config:
dev tap
remote E.F.G.H
float E.F.G.H
port 5094
comp-lzo
ifconfig A.B.C.D 255.255.255.0
route-gateway A.B.C.1
redirect-gateway def1
secret keyfile.key
cipher AES-128-CBC

************************
head -1 keyfile.key
-----BEGIN OpenVPN Static key V1-----