Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 537318

Summary: net-misc/openvpn-2.3.6 - TLS_ERROR: BIO read tls_read_plaintext error: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression
Product: Gentoo Linux Reporter: Anton Bolshakov <anton.bugs>
Component: Current packagesAssignee: Dirkjan Ochtman (RETIRED) <djc>
Status: RESOLVED FIXED    
Severity: normal CC: alexanderyt
Priority: Normal    
Version: 10.1   
Hardware: All   
OS: Linux   
See Also: https://community.openvpn.net/openvpn/ticket/502
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Disable SSL compression patch

Description Anton Bolshakov 2015-01-22 07:37:50 UTC 
I'm facing an issue with Netgear (Case #24518893) and OpenVPN (ticket/502) where the connection would fail with the "SSL3_GET_RECORD:bad decompression" error message.

Google search shown that there are a lot of people having the same issue with different products as well (nginx, apache, ruby etc).

Apparently, the root cost is in zlib and openssl incapability. It was also not possible to disable SSL_OP_NO_COMPRESSION in openssl:0.9.8.

I've filed upstream bugs for both Netgear and OpenVPN and created a patch.
OpenVPN devs seems ready to accept the patch (or will simply disable SSL compression). For more details, see the following bug report:

https://community.openvpn.net/openvpn/ticket/502


While it is work in progress, it's not clear how long will it take for upstream to fix the issue and release a new version.

So I suggest to accept the patch now.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2015-01-31 09:37:55 UTC 
Due to the sensitive nature of OpenVPN and the maintenance burden, I don't really want to take patches that have not been approved by upstream. Please try to convince the upstream maintainers, then I will be happy to update the ebuild.
Comment 2 Anton Bolshakov 2015-02-05 08:47:52 UTC 
The upstream has agreed, so it's just a matter of time.
However, the patch might be different so I fully understand your concerns.

You consider adding "epatch_user" so affected users would be able to fix it themselves while the upstream bug report is pending.
Comment 3 Anton Bolshakov 2015-02-16 14:21:35 UTC 
The upstream bug report has been resolved. 
Here is the link to the patch:
https://community.openvpn.net/openvpn/changeset/5d5233778868ddd568140c394adfcfc8e3453245/

Feel free to accepted it.
Comment 4 Dirkjan Ochtman (RETIRED) gentoo-dev 2015-02-16 14:52:19 UTC 
Yup, I've been monitoring the upstream bug report. I'll attempt to backport the patch some time this week, as I have time.
Comment 5 Anton Bolshakov 2015-02-16 15:01:39 UTC 
Created attachment 396594 [details, diff]
Disable SSL compression patch

Basically, they have accepted my patch (without debug log line).
Should take 3min to "backport" it. It's just 3 lines of code ;-)

Thanks.
Comment 6 Dirkjan Ochtman (RETIRED) gentoo-dev 2015-02-17 20:14:12 UTC 
Committed in 2.3.6-r2, thanks!