Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 518132 - net-misc/openvpn-2.3.3 silently drops connection initialisation from "OpenVPN Connect" Android client
Summary: net-misc/openvpn-2.3.3 silently drops connection initialisation from "OpenVPN...
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Dirkjan Ochtman (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-25 21:21 UTC by Alex Efros
Modified: 2014-07-31 06:58 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Efros 2014-07-25 21:21:04 UTC
After update from 2.3.2 to 2.3.3 my android phone&tablet (both use "OpenVPN Connect") failed to connect to my openvpn server. Disgrade to 2.3.2 solved this issue.

Here is error I got on OpenVPN Connect (Android):
    External PKI error: java.security.InvalidKeyException: OpenSSL RSA_sign failed

And here is only message in log I got on my server:
    192.168.6.212:44051 TLS: Initial packet from [AF_INET]192.168.6.212:44051, sid=232bbaa0 137ebf07
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2014-07-29 11:38:41 UTC
1) Please post your `emerge --info net-misc/openvpn' output in a comment.
2) If that is the only relevant message you saw on the server side, then you'll need to switch on a verbosity or debugging flag to get something useful.
Comment 2 Alex Efros 2014-07-29 23:42:41 UTC
I've tried to increase verbosity level and compare 2.3.2 and 2.3.3 logs.

On verb=6 difference begins here (I've removed/normalized timestamps/port numbers):
2.3.2: 192.168.6.212:49428 UDPv4 WRITE [89] to [AF_INET]192.168.6.212:49428: P_CONTROL_V1 kid=0 pid=[ #39 ] [ ] pid=37 DATA len=47
2.3.3: 192.168.6.212:49428 UDPv4 WRITE [123] to [AF_INET]192.168.6.212:49428: P_CONTROL_V1 kid=0 pid=[ #39 ] [ ] pid=37 DATA len=81

next 3 lines in both logs are same:

192.168.6.212:49428 UDPv4 READ [50] from [AF_INET]192.168.6.212:49428: P_ACK_V1 kid=0 pid=[ #37 ] [ 34 ]
192.168.6.212:49428 UDPv4 READ [50] from [AF_INET]192.168.6.212:49428: P_ACK_V1 kid=0 pid=[ #38 ] [ 35 ]
192.168.6.212:49428 UDPv4 READ [50] from [AF_INET]192.168.6.212:49428: P_ACK_V1 kid=0 pid=[ #39 ] [ 36 ]

but then 2.3.3 probably just resend same packet and log ends:

192.168.6.212:49428 UDPv4 WRITE [123] to [AF_INET]192.168.6.212:49428: P_CONTROL_V1 kid=0 pid=[ #40 ] [ ] pid=37 DATA len=81
192.168.6.212:49428 UDPv4 WRITE [123] to [AF_INET]192.168.6.212:49428: P_CONTROL_V1 kid=0 pid=[ #41 ] [ ] pid=37 DATA len=81
192.168.6.212:49428 UDPv4 WRITE [123] to [AF_INET]192.168.6.212:49428: P_CONTROL_V1 kid=0 pid=[ #42 ] [ ] pid=37 DATA len=81

while 2.3.2 reads more data, successfully verify certificate and continue:

192.168.6.212:49428 UDPv4 READ [1404] from [AF_INET]192.168.6.212:49428: P_CONTROL_V1 kid=0 pid=[ #40 ] [ 37 ] pid=3 DATA len=1350
192.168.6.212:49428 UDPv4 WRITE [50] to [AF_INET]192.168.6.212:49428: P_ACK_V1 kid=0 pid=[ #40 ] [ 3 ]
192.168.6.212:49428 UDPv4 READ [642] from [AF_INET]192.168.6.212:49428: P_CONTROL_V1 kid=0 pid=[ #41 ] [ ] pid=4 DATA len=600
192.168.6.212:49428 VERIFY OK: depth=1, C=UA, ST=UA, L=Kharkov, O=Powerman Home, OU=CA, CN=Powerman-CA, name=Powerman CA, emailAddress=my@e.mail
192.168.6.212:49428 VERIFY OK: depth=0, C=UA, ST=UA, L=Kharkov, O=Powerman Home, OU=VPN, CN=openvpn-client-powerman-phone, name=Powerman's Phone, emailAddress=my@e.mail
...


It's much more complicated to compare logs on verb=11, but looks like only important additions to verb=6 are:

1) Just before 2.3.3 does WRITE [123] instead of WRITE[89] these lines are differ:

2.3.2: 192.168.6.212:41111 BIO read tls_read_ciphertext 47 bytes
2.3.2: 192.168.6.212:41111 ACK reliable_send ID 37 (size=51 to=2)
2.3.3: 192.168.6.212:41111 BIO read tls_read_ciphertext 81 bytes
2.3.3: 192.168.6.212:41111 ACK reliable_send ID 37 (size=85 to=2)

2) Much earlier, near start of this log:

2.3.2: 192.168.6.212:41111 SSL state (accept): SSLv3 read client hello B
2.3.3: 192.168.6.212:41111 SSL state (accept): SSLv3 read client hello A



Portage 2.2.8-r1 (hardened/linux/amd64, gcc-4.7.3, glibc-2.17, 3.15.5-hardened-r1_nouveau x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-3.15.5-hardened-r1_nouveau-x86_64-Intel-R-_Core-TM-_i7-2600K_CPU_@_3.40GHz-with-gentoo-2.2
KiB Mem:     8160640 total,    497592 free
KiB Swap:    4200960 total,   3797476 free
Timestamp of tree: Mon, 28 Jul 2014 18:15:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.6, 3.3.3
dev-util/cmake:           2.8.12.2-r1
dev-util/pkgconfig:       0.28-r1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.13 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo perl-experimental-snapshots gamerlay powerman local
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/upsmon-usb/EXT/DownOS /opt/upsmon-usb/EXT/JSystem /service /usr/inferno/keydb /usr/inferno/lib /usr/inferno/services /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /var/log /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage-distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y --autounmask-write --backtrack=15"
FCFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr"
FFLAGS="-march=native -O2 -pipe"
GENTOO_MIRRORS="http://gentoo.iteam.net.ua/ http://tux.rainside.sk/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://gentoo.inode.at/"
LANG="ru_RU.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j8"
PKGDIR="/usr/portage-packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude ChangeLog --delete-excluded"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/perl-experimental-snapshots /var/lib/layman/gamerlay /var/lib/layman/powerman /usr/local/portage"
SYNC="rsync://rsync3.ua.gentoo.org/gentoo-portage"
USE="X a52 aac alac alsa amd64 avx bash-completion berkdb bzip2 caps cdda cddb cli cracklib crypt cxx dbus dri drm dts dvb dvd egl flac fontconfig gallium gdbm gif gnutls gpg hardened iconv icu id3tag idn ipv6 jpeg jpeg2k justify libnotify mac mad matroska mbox mmx mng modules mp3 mpeg multilib musepack mysql ncurses network-cron nls nptl nsplugin ogg opengl openmp openvg pam pax_kernel pcre perl png qt3support readline session spell sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 svg tcpd theora tiff truetype unicode urandom vdpau vim-syntax vorbis wavpack x264 xattr xosd xtpax xv xvid xvmc zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="log_config vhost_alias autoindex alias rewrite dir deflate filter mime negotiation auth_basic authn_file authz_host authz_user authz_groupfile cgi actions headers env setenvif" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en ru ru_RU" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi geo gzip limit_conn limit_req map memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash userid uwsgi fancyindex" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="nvidia nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

net-misc/openvpn-2.3.3 was built with the following:
USE="examples iproute2 lzo pam plugins ssl -down-root -passwordsave -pkcs11 (-polarssl) (-selinux) -static" ABI_X86="64"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-07-30 09:46:04 UTC
Did you manage to try this out with other VPN clients?
Comment 4 Alex Efros 2014-07-30 15:53:35 UTC
(In reply to Jeroen Roovers from comment #3)
> Did you manage to try this out with other VPN clients?

No, but I've just tried 2.3.4-r1 and it works fine. So it's a regression in 2.3.3.
Comment 5 Dirkjan Ochtman (RETIRED) gentoo-dev 2014-07-31 06:58:46 UTC
I'll just close this, then.