|Summary:||net-misc/openvpn-2.3.0 with dev-libs/openssl-1.0.1d - openvpn: Assertion failed at ssl.c:1857|
|Product:||Gentoo Linux||Reporter:||Thomas Beinicke <merlin>|
|Component:||Current packages||Assignee:||Dirkjan Ochtman <djc>|
|Severity:||normal||CC:||andrej.gelenberg, cedk, gentoo, marduk, pchrist, steffen.weber|
|Package list:||Runtime testing required:||---|
openvpn client log, verb 5
(failed) build log for openvpn-2.3.0 against openssl-0.9.8y
openvpn client log, verb 5, mute disabled
Description Thomas Beinicke 2013-02-06 09:10:33 UTC
After upgrading to openssl-1.0.1d openvpn doesn't connect to a VPN server anymore. There is the following error in the syslog when trying to connect: "Assertion failed at ssl.c:1857". After downgrading to openssl-1.0.1c everything works again. Reproducible: Always
Comment 1 Thomas Beinicke 2013-02-06 09:12:15 UTC
I did try to rebuild openvpn and also networkmanager but I get the same problem on trying to connect. I also tried to connect just via the supplied init scripts of openvpn and not networkmanager but the problem is the same.
Comment 2 Jeroen Roovers 2013-02-06 13:53:13 UTC
1) Please post your `emerge --info' output in a comment. 2) Please attach the entire build log to this bug report.
Comment 3 eroen 2013-02-06 13:57:02 UTC
I see the same behaviour. Rebuilding openvpn has no effect, downgrading openssl solves the issue. Attaching emerge --info and a (sanitized) openvpn (runtime, VERB=5) log since they weren't included in original report. I have only tested client-side.
Comment 4 eroen 2013-02-06 13:58:01 UTC
Created attachment 338094 [details] openvpn client log, verb 5
Comment 6 Dirkjan Ochtman 2013-02-06 15:18:47 UTC
Upstream is asking if you can test with verb 5 but without mute. Also, it would be interesting to know if this also fails with 1.0.0k or 0.9.8y (i.e. other releases that fixed CVE-2013-0169).
Comment 7 Albert W. Hopkins 2013-02-06 17:04:37 UTC
Created attachment 338122 [details] verb=5 output Here's my sanitized output. I just took the params nm-openvpn uses and called them from the command line. There doesn't (to me) seem to be any additional info in the logs. The keys and certs were (obviously) created with an earlier version of OpenSSL.
Comment 8 eroen 2013-02-06 21:48:58 UTC
Created attachment 338152 [details] (failed) build log for openvpn-2.3.0 against openssl-0.9.8y In an attempt to test with openssl-0.9.8y, I unmerged the newer version and emerged 0.9.8y (I use preserve-libs). Attempting to emerge openvpn then fails, with configure: error: ssl is required but missing (build log attached for reference) scanelf says the installed openvpn "needs" libssl.so.1.0.0 , so I'm out of ideas about how to test against the openssl:0.9.8 slot. I can't seem to find openssl-1.0.0k in portage, which put a stop to testing against that.
Comment 9 eroen 2013-02-06 22:20:32 UTC
Created attachment 338162 [details] openvpn client log, verb 5, mute disabled I'm adding this in addition to Albert's log, on the off chance it helps. The previous log shows repeated failures before the fatal assert failure, which this log does not. The number of these failures is random (zero or more) when I try to reconnect. It might be an unrelated issue or not, or even just some timeout, but I do not see the failures and retries with openssl-1.0.1c .
Comment 10 Andrej Gelenberg 2013-02-06 22:59:24 UTC
claws-mail fail to connect to the imap server, because of garbage in the server response. Downgrading to 1.0.1c solved the issue.
Comment 11 eroen 2013-02-06 23:05:15 UTC
I figured out how to build openvpn against the :0.9.8 slot of openssl (install both slots for headers and change the library symlinks, then rebuild openvpn), but openvpn failed to work with either openssl-0.9.8x or openssl-0.9.8y . With both versions, the openvpn process dies suddenly with seemingly no relevant output. I can provide logs if it is of interest. The last lines written are (verb=9): Wed Feb 6 23:44:47 2013 us=621231 TLS: tls_process: chg=0 ks=S_SENT_KEY lame=S_UNDEF to_link->len=0 wakeup=604800 Wed Feb 6 23:44:47 2013 us=621307 ACK reliable_can_send active=0 current=0 :  Wed Feb 6 23:44:47 2013 us=621359 BIO write tls_write_ciphertext 100 bytes Wed Feb 6 23:44:47 2013 us=621385 Incoming Ciphertext -> TLS On the other hand, openvpn works swimmingly with openssl-1.0.0j .