Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 531700

Summary: net-misc/openvpn-2.3.6 fails to start with none/null ciphers
Product: Gentoo Linux Reporter: Peter Gantner (a.k.a. nephros) <gentoo>
Component: Current packagesAssignee: Dirkjan Ochtman (RETIRED) <djc>
Status: RESOLVED FIXED    
Severity: normal CC: kfm
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://community.openvpn.net/openvpn/ticket/473
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: fix-cipher-null.patch

Description Peter Gantner (a.k.a. nephros) 2014-12-04 18:29:44 UTC 
Current stable net-misc/openvpn-2.3.6 has a bug that causes it so not start up if a null cipher is configured.

See link above for details and fix.

Reproducible: Always

Steps to Reproduce:
Start openvpn with a config file like this:

client
dev tun0
dev-type tap
proto udp
remote server.example.org 1194
nobind
daemon openvpn
ca   "0xff-keys/ca.crt"
cert "0xff-keys/client.crt"
key  "0xff-keys/client.key"
cipher none
ns-cert-type server

Actual Results:  
Thu Dec  4 19:11:51 2014 us=957211 OpenVPN 2.3.6 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  3 2014
Thu Dec  4 19:11:51 2014 us=957282 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Thu Dec  4 19:11:51 2014 us=957692 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec  4 19:11:51 2014 us=973210 ******* WARNING *******: null cipher specified, no encryption will be used
Thu Dec  4 19:11:51 2014 us=973415 Assertion failed at crypto_openssl.c:523
Thu Dec  4 19:11:51 2014 us=973475 Exiting due to fatal error
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2015-02-08 14:53:52 UTC 
Those patches don't seem to apply on straight 2.3.6.
Comment 2 Peter Gantner (a.k.a. nephros) 2015-02-08 15:48:06 UTC 
Created attachment 395902 [details, diff]
fix-cipher-null.patch

I have this patch living in my /etc/portage/patches, it applies and fixes the problem described in the report.

I don't know the code well enough to say whether it has insecure side-effects, but then, you're running a VPN with a null cipher if you need this so...
Comment 3 Peter Gantner (a.k.a. nephros) 2015-02-08 15:55:48 UTC 
(In reply to Peter Gantner (a.k.a. nephros) from comment #2)
> Created attachment 395902 [details, diff] [details, diff]
> 
> I have this patch living in my /etc/portage/patches, it applies and fixes
> the problem described in the report.


Just to clarify, this is identical to the last patch in the linked report (0001-Really-fix-cipher-none.patch), and AFAICS the only one needed.
Comment 4 Dirkjan Ochtman (RETIRED) gentoo-dev 2015-02-08 16:23:05 UTC 
Thanks. Fixed in openvpn-2.3.6-r1.