Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 455810 - net-misc/openvpn-2.3.0 with dev-libs/openssl-1.0.1d - openvpn: Assertion failed at ssl.c:1857
Summary: net-misc/openvpn-2.3.0 with dev-libs/openssl-1.0.1d - openvpn: Assertion fail...
Status: RESOLVED DUPLICATE of bug 456108
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Dirkjan Ochtman (RETIRED)
Depends on:
Reported: 2013-02-06 09:10 UTC by Thomas Beinicke
Modified: 2013-02-08 01:06 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---

openvpn client log, verb 5 (openvpn-openssl-log,10.74 KB, text/plain)
2013-02-06 13:58 UTC, eroen
emerge --info (file_455810.txt,7.87 KB, text/plain)
2013-02-06 13:59 UTC, eroen
verb=5 output (openvpndebug.txt,17.13 KB, text/plain)
2013-02-06 17:04 UTC, Albert W. Hopkins
(failed) build log for openvpn-2.3.0 against openssl-0.9.8y (build.log,16.20 KB, text/plain)
2013-02-06 21:48 UTC, eroen
openvpn client log, verb 5, mute disabled (openvpn-openssl-log-2,15.62 KB, text/plain)
2013-02-06 22:20 UTC, eroen

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Beinicke 2013-02-06 09:10:33 UTC
After upgrading to openssl-1.0.1d openvpn doesn't connect to a VPN server anymore. There is the following error in the syslog when trying to connect: "Assertion failed at ssl.c:1857".

After downgrading to openssl-1.0.1c everything works again.

Reproducible: Always
Comment 1 Thomas Beinicke 2013-02-06 09:12:15 UTC
I did try to rebuild openvpn and also networkmanager but I get the same problem on trying to connect.

I also tried to connect just via the supplied init scripts of openvpn and not networkmanager but the problem is the same.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-02-06 13:53:13 UTC
1) Please post your `emerge --info' output in a comment.
2) Please attach the entire build log to this bug report.
Comment 3 eroen 2013-02-06 13:57:02 UTC
I see the same behaviour. Rebuilding openvpn has no effect, downgrading openssl solves the issue.

Attaching emerge --info and a (sanitized) openvpn (runtime, VERB=5) log since they weren't included in original report. 

I have only tested client-side.
Comment 4 eroen 2013-02-06 13:58:01 UTC
Created attachment 338094 [details]
openvpn client log, verb 5
Comment 5 eroen 2013-02-06 13:59:28 UTC
Created attachment 338096 [details]
emerge --info
Comment 6 Dirkjan Ochtman (RETIRED) gentoo-dev 2013-02-06 15:18:47 UTC
Upstream is asking if you can test with verb 5 but without mute.

Also, it would be interesting to know if this also fails with 1.0.0k or 0.9.8y (i.e. other releases that fixed CVE-2013-0169).
Comment 7 Albert W. Hopkins 2013-02-06 17:04:37 UTC
Created attachment 338122 [details]
verb=5 output

Here's my sanitized output.  I just took the params nm-openvpn uses and called them from the command line.  There doesn't (to me) seem to be any additional info in the logs.  The keys and certs were (obviously) created with an earlier version of OpenSSL.
Comment 8 eroen 2013-02-06 21:48:58 UTC
Created attachment 338152 [details]
(failed) build log for openvpn-2.3.0 against openssl-0.9.8y

In an attempt to test with openssl-0.9.8y, I unmerged the newer version and emerged 0.9.8y (I use preserve-libs). Attempting to emerge openvpn then fails, with 
    configure: error:  ssl is required but missing
(build log attached for reference) 

scanelf says the installed openvpn "needs" , so I'm out of ideas about how to test against the openssl:0.9.8 slot.

I can't seem to find openssl-1.0.0k in portage, which put a stop to testing against that.
Comment 9 eroen 2013-02-06 22:20:32 UTC
Created attachment 338162 [details]
openvpn client log, verb 5, mute disabled

I'm adding this in addition to Albert's log, on the off chance it helps.

The previous log shows repeated failures before the fatal assert failure, which this log does not. The number of these failures is random (zero or more) when I try to reconnect. It might be an unrelated issue or not, or even just some timeout, but I do not see the failures and retries with openssl-1.0.1c .
Comment 10 Andrej Gelenberg 2013-02-06 22:59:24 UTC
claws-mail fail to connect to the imap server, because of garbage in the server response. Downgrading to 1.0.1c solved the issue.
Comment 11 eroen 2013-02-06 23:05:15 UTC
I figured out how to build openvpn against the :0.9.8 slot of openssl (install both slots for headers and change the library symlinks, then rebuild openvpn), but openvpn failed to work with either openssl-0.9.8x or openssl-0.9.8y .

With both versions, the openvpn process dies suddenly with seemingly no relevant output. I can provide logs if it is of interest. The last lines written are (verb=9):
    Wed Feb  6 23:44:47 2013 us=621231 TLS: tls_process: chg=0 ks=S_SENT_KEY lame=S_UNDEF to_link->len=0 wakeup=604800
    Wed Feb  6 23:44:47 2013 us=621307 ACK reliable_can_send active=0 current=0 : [3]
    Wed Feb  6 23:44:47 2013 us=621359 BIO write tls_write_ciphertext 100 bytes
    Wed Feb  6 23:44:47 2013 us=621385 Incoming Ciphertext -> TLS

On the other hand, openvpn works swimmingly with openssl-1.0.0j .
Comment 12 Ryan Hill (RETIRED) gentoo-dev 2013-02-08 01:06:44 UTC

*** This bug has been marked as a duplicate of bug 456108 ***