Your message dated Sun, 24 Jul 2022 16:07:28 +0000 with message-id <e1ofe8e-00089t...@fasolo.debian.org> and subject line Bug#1012129: fixed in openvpn 2.6.0~git20220518+dco-3 has caused the Debian Bug report #1012129, regarding openvpn: 2.6 client fails authentication against older server to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1012129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012129 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: openvpn Version: 2.6.0~git20220518+dco-1 Severity: important Hi! Just upgraded openvpn the other day and could not connect anymore to the VPN. Reverting back to 2.5.6-1 makes it work again. I checked #1011473 and nothing there seemed relevant. Here's an (edited) excerpt from the log (from today's retry): ,--- […] 2022-05-30 18:07:07 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. […] 2022-05-30 18:07:07 us=415641 Cannot find ovpn_dco netlink component: Object not found 2022-05-30 18:07:07 us=415662 Note: Kernel support for ovpn-dco missing, disabling data channel offload. 2022-05-30 18:07:07 us=416916 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 20 2022 2022-05-30 18:07:07 us=416925 library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10 2022-05-30 18:07:07 us=419756 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA2-512' for HMAC authentication 2022-05-30 18:07:07 us=419776 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA2-512' for HMAC authentication 2022-05-30 18:07:07 us=419787 LZO compression initializing 2022-05-30 18:07:07 us=419849 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 headroom:126 payload:1376 tailroom:126 ET:0 ] 2022-05-30 18:07:07 us=420380 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 headroom:136 payload:1736 tailroom:557 ET:0 ] 2022-05-30 18:07:07 us=420424 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA2-512,keysize 256,tls-auth,key-method 2,tls-client' 2022-05-30 18:07:07 us=420431 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA2-512,keysize 256,tls-auth,key-method 2,tls-server' 2022-05-30 18:07:07 us=420437 TCP/UDP: Preserving recently used remote address: [AF_INET]<remote-ip>:<remote-port> 2022-05-30 18:07:07 us=420449 Socket Buffers: R=[212992->212992] S=[212992->212992] 2022-05-30 18:07:07 us=420457 Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92) 2022-05-30 18:07:07 us=420461 UDP link local: (not bound) 2022-05-30 18:07:07 us=420466 UDP link remote: [AF_INET]<remote-ip>:<remote-port> 2022-05-30 18:07:07 us=458976 TLS: Initial packet from [AF_INET]<remote-ip>:<remote-port>, sid=<remote-sid> 2022-05-30 18:07:07 us=544314 VERIFY OK: depth=2, <cert-root-info> 2022-05-30 18:07:07 us=545081 VERIFY OK: depth=1, <cert-ca-info> 2022-05-30 18:07:07 us=545608 Validating certificate extended key usage 2022-05-30 18:07:07 us=545645 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2022-05-30 18:07:07 us=545663 VERIFY EKU OK 2022-05-30 18:07:07 us=545678 VERIFY X509NAME OK: <cert-info> 2022-05-30 18:07:07 us=545693 VERIFY OK: depth=0, <cert-info> 2022-05-30 18:07:07 us=649111 WARNING: 'auth' is used inconsistently, local='auth SHA2-512', remote='auth SHA512' 2022-05-30 18:07:07 us=649265 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2022-05-30 18:07:07 us=649317 [<remote-name>] Peer Connection Initiated with [AF_INET]<remote-ip>:<remote-port> 2022-05-30 18:07:08 us=824515 SENT CONTROL [<remote-name>]: 'PUSH_REQUEST' (status=1) 2022-05-30 18:07:08 us=863166 AUTH: Received control message: AUTH_FAILED 2022-05-30 18:07:08 us=863611 TCP/UDP: Closing socket 2022-05-30 18:07:08 us=863809 SIGTERM[soft,auth-failure] received, process exiting `--- The auth setting is locally set to SHA512, I'm assuming OpenSSL remaps it, but that's just a warning. It just seems to be failing at the PUSH_REQUEST step. Setting «compat-mode 2.5.6» did not help either. Thanks, Guillem
--- End Message ---
--- Begin Message ---Source: openvpn Source-Version: 2.6.0~git20220518+dco-3 Done: Bernhard Schmidt <be...@debian.org> We believe that the bug you reported is fixed in the latest version of openvpn, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1012...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <be...@debian.org> (supplier of updated openvpn package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 24 Jul 2022 17:13:47 +0200 Source: openvpn Architecture: source Version: 2.6.0~git20220518+dco-3 Distribution: unstable Urgency: medium Maintainer: Bernhard Schmidt <be...@debian.org> Changed-By: Bernhard Schmidt <be...@debian.org> Closes: 1012129 Changes: openvpn (2.6.0~git20220518+dco-3) unstable; urgency=medium . [ Lucas Kanashiro ] * d/t/server-setup-with-static-key: set cipher to be DES-EDE3-CBC * d/t/server-setup-with-static-key: use 'secret' to generate key * d/t/server-setup-with-*: use 'set -x' in the test scripts * d/t/control: add allow-stderr restriction . [ Bernhard Schmidt ] * Import Ubuntu patch cherry-picked from upstream to translate OpenSSL 3.0 digest names into OpenSSL 1.1 digest names (Closes: #1012129) Checksums-Sha1: 4cd61afbf351765be274a952460b89894c1dacfd 2289 openvpn_2.6.0~git20220518+dco-3.dsc cfbf4354c004e976e71fa82c994dae9453a8ddbb 60500 openvpn_2.6.0~git20220518+dco-3.debian.tar.xz 8ea0c9823066a64168dd645a566509283ff44cd1 8079 openvpn_2.6.0~git20220518+dco-3_amd64.buildinfo Checksums-Sha256: e4f24a52ea248e31aa2703e093cfd85800dcdc6129577ac92e65406a1f9075fd 2289 openvpn_2.6.0~git20220518+dco-3.dsc 165c38df4eed31b1afa7df0ab405a9be55e949226fa8ea760b928c9d5157820d 60500 openvpn_2.6.0~git20220518+dco-3.debian.tar.xz 170178ad6b38488042eb779b6cd22c39c82a66313b7d6b8e96ac48d624b7e974 8079 openvpn_2.6.0~git20220518+dco-3_amd64.buildinfo Files: a4bd62b3bf1a763adb0caf8a6db93e70 2289 net optional openvpn_2.6.0~git20220518+dco-3.dsc 81f800f3d701a9f90f93aacb15fef49b 60500 net optional openvpn_2.6.0~git20220518+dco-3.debian.tar.xz 65a40052f9352c9ab6f2e9ef35ea8a54 8079 net optional openvpn_2.6.0~git20220518+dco-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmLdZtURHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJOPqRAAiyH6UZp8hr3FwzSDN2dvzZYi8mea7z3M Kf/6ZHGuvVrplEcCLtI4g9A3i5plAZTu7Xqje4G/HEZOAqA1P6A5TFQe4d8nqioa y+IsyzDnwdcHZW8hqsVcUJ435qMgBoB3XXxdIn+ArONImxxaK7foOJXsXXeqhBVP fJNuIjcsuCMD7xEHklVs5pEfS+nvHcZfnzz2UxKetwMwLZta/zzYRvrTUvJmT+PE EUcrJhB33s4cMYB4Tmw6kXDIRgGMWqcsyxMxbvGdtqLiCok04Wnd4Gl7zubXsO5e eVH4crI0tGxhc1boelWY1wj/KYA3l2NbRfuFyb+knQk+MHSeywAEW6VLDbHwqwEE hosiaQWcl/7b08cME57U0VbsL9tglVZXuFRiGIrTAo9ZvZnLjXjQP9F6yRrCUUVf jOFSC1pBYxsYH4MdVazR3kdQHl0xtb5msHKNFgxuboOmGAfdqIS0dT5NwV8PAV1W Sgat/elQiIwZYz7PA/rvbqlIoZuGxcPBHgBkiHTSjdMVqTOSJIa3KFbBuxuYaUkl lpJt7XAjVt864A9QyzSwlNWqkzuZAcOi2shFV7/P4ewM7pz52UY4mJNtTlAqVi+U NvwMHt7YEFYEgUxpKmR1OmqS3+FC/Am41NbZmnmDM4mYytn2ZBbpAimw/G2FqlyB 4KWDqyB5rZM= =pjSa -----END PGP SIGNATURE-----
--- End Message ---
