Hello.
I have OpenVPN segfault when client connects, after upgrading from
OpenBSD 5.4/OpenVPN 2.3.1p2 package to OpenBSD 5.5/OpenVPN 2.3.2
package.
Server side :
=============
- OpenBSD sra-srv-004.company.fr 5.5
GENERIC#3 amd64, upgraded from 5.4 by install kernel
Note : I made the error during the whole upgrade process of uninstalling
packages AFTER upgrading instead of PRIOR TO. I had however prevented
all services from starting at boot by modifying accordingly
rc.conf.local, hostname.tun0, crontab... I don't see any connection with
my problem, but I prefer to state that right away.
- openvpn-2.3.2 package : openvpn --version
OpenVPN 2.3.2 x86_64-unknown-openbsd5.5 [SSL (OpenSSL)] [LZO] [eurephia]
[MH] [IPv6] built on Mar 5 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sa...@openvpn.net>
Compile time defines: enable_crypto=yes enable_debug=yes
enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown
enable_dlopen_self_static=unknown enable_eurephia=yes
enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes
enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes
enable_lzo_stub=no enable_management=yes enable_multi=yes
enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes
enable_pedantic=no enable_pf=yes enable_pkcs11=no
enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes
enable_port_share=yes enable_selinux=no enable_server=yes
enable_shared=yes enable_shared_with_static_runtimes=no
enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes
enable_static=yes enable_strict=no enable_strict_options=no
enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no
with_crypto_library=openssl with_gnu_ld=no with_mem_check=no
with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
- server config :
user _openvpn
group _openvpn
writepid /var/run/openvpn.pid
tmp-dir /tmp
comp-lzo
persist-key
persist-tun
duplicate-cn
management 127.0.0.1 555
local 10.0.0.1
port 53
proto udp
dev-type tap
dev tun0
server-bridge 192.168.1.7 255.255.255.0 192.168.1.65 192.168.1.78
push "dhcp-option DOMAIN Company-RA.fr"
push "dhcp-option DNS 192.168.1.7"
cert /etc/openvpn/ssl/serveur_openvpn-company.crt
key /etc/openvpn/ssl/serveur_openvpn-company.key
tls-auth /etc/openvpn/ssl/ta-company.key 0
dh /etc/ssl/dh1024.pem
ca /etc/ssl/ca-company.crt
crl-verify /etc/ssl/crl/crl.pem
script-security 2
cipher AES-128-CBC
log-append /var/log/openvpn.log
verb 4
mute 10
status /var/log/openvpn-status.log
status-version 3
keepalive 10 120
max-clients 10
client-connect /usr/local/bin/openvpn_connexion.sh
client-disconnect /usr/local/bin/openvpn_deconnexion.sh
- network config :
# cat /etc/hostname.tun0
link0 up
!/usr/local/sbin/openvpn --config /etc/openvpn/server.conf --daemon
# cat /etc/hostname.bridge0
add em0
add tun0
up
Client side :
=============
- Windows 7 64 bits
- openvpn-install-2.3.3-I002-x86_64.exe (also tested
openvpn-install-2.3.6-I001-x86_64.exe and
openvpn-install-2.3.6-I601-x86_64.exe, same result)
- client config :
client
dev tap
dev-node TapOpenVPN
proto udp
remote x.y.z.t 53
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca-company.crt
cert joesixpack.crt
key joesixpack.key
ns-cert-type server
tls-auth ta-company.key 1
cipher AES-128-CBC
comp-lzo
verb 4
mute 10
explicit-exit-notify
Symptoms :
==========
- on server side : start OpenVPN either through tun0 interface up, or by
command line (without --daemon to witness process crash). It seems to
get up normally (according to log), and stays so as long as no client
connects :
Current Parameter Settings:
config = '/etc/openvpn/server.conf'
mode = 1
show_ciphers = DISABLED
show_digests = DISABLED
show_engines = DISABLED
genkey = DISABLED
key_pass_file = '[UNDEF]'
show_tls_ciphers = DISABLED
Connection profiles [default]:
NOTE: --mute triggered...
216 variation(s) on previous 10 message(s) suppressed by --mute
OpenVPN 2.3.2 x86_64-unknown-openbsd5.5 [SSL (OpenSSL)] [LZO]
[eurephia] [MH] [IPv6] built on Mar 5 2014
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:555
NOTE: when bridging your LAN adapter with the TAP adapter, note that
the new bridge adapter will often take on its own IP address that is
different from what the LAN adapter was previously set to
NOTE: the current --script-security setting may allow this
configuration to call user-defined scripts
Diffie-Hellman initialized with 1024 bit key
Control Channel Authentication: using
'/etc/openvpn/ssl/ta-company.key' as a OpenVPN static key file
Outgoing Control Channel Authentication: Using 160 bit message hash
'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash
'SHA1' for HMAC authentication
TLS-Auth MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Socket Buffers: R=[41600->65536] S=[9216->65536]
TUN/TAP device tun0 exists previously, keep at program end
TUN/TAP device /dev/tun0 opened
Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
GID set to _openvpn
UID set to _openvpn
UDPv4 link local (bound): [AF_INET]10.0.0.1:53
UDPv4 link remote: [undef]
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=192.168.1.65 size=14, ipv6=0
Initialization Sequence Completed
- on client side : launch connection
==> Segmentation fault on server side
# gdb /usr/local/sbin/openvpn
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "amd64-unknown-openbsd5.5"...(no debugging
symbols found)
(gdb) run --config /etc/openvpn/server.conf
Starting program: /usr/local/sbin/openvpn --config /etc/openvpn/server.conf
(no debugging symbols found)
(no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault.
X509_cmp_time (ctm=0x112000000000, cmp_time=Variable "cmp_time" is not
available.
) at /usr/src/lib/libssl/crypto/../src/crypto/x509/x509_vfy.c:1733
1733 if (ctm->type == V_ASN1_UTCTIME)
(gdb) bt
#0 X509_cmp_time (ctm=0x112000000000, cmp_time=Variable "cmp_time" is
not available.
) at /usr/src/lib/libssl/crypto/../src/crypto/x509/x509_vfy.c:1733
#1 0x00001120cbc5d4bd in internal_verify (ctx=0x7f7ffffc48f0) at
/usr/src/lib/libssl/crypto/../src/crypto/x509/x509_vfy.c:1539
#2 0x00001120cbc5ea72 in X509_verify_cert (ctx=0x7f7ffffc48f0) at
/usr/src/lib/libssl/crypto/../src/crypto/x509/x509_vfy.c:367
#3 0x00001120cc54e668 in ssl_verify_cert_chain (s=0x1120cffc6400,
sk=Variable "sk" is not available.
) at /usr/src/lib/libssl/ssl/../src/ssl/ssl_cert.c:554
#4 0x00001120cc52e7bf in ssl3_get_client_certificate (s=0x1120cffc6400)
at /usr/src/lib/libssl/ssl/../src/ssl/s3_srvr.c:3282
#5 0x00001120cc5329b2 in ssl3_accept (s=0x1120cffc6400) at
/usr/src/lib/libssl/ssl/../src/ssl/s3_srvr.c:587
#6 0x00001120cc54035e in ssl3_read_bytes (s=0x1120cffc6400, type=23,
buf=0x1120cd006800 "", len=2048, peek=0) at
/usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:988
#7 0x00001120cc541241 in ssl3_read_internal (s=0x1120cffc6400,
buf=0x1120cd006800, len=2048, peek=0) at
/usr/src/lib/libssl/ssl/../src/ssl/s3_lib.c:4207
#8 0x00001120cc527d31 in ssl_read (b=0x1120cffc5a00, out=0x1120cd006800
"", outl=2048) at /usr/src/lib/libssl/ssl/../src/ssl/bio_ssl.c:168
#9 0x00001120cbc9403f in BIO_read (b=0x1120cffc5a00,
out=0x1120cd006800, outl=2048) at
/usr/src/lib/libssl/crypto/../src/crypto/bio/bio_lib.c:212
#10 0x0000111ec2f6256b in pem_password_callback () from
/usr/local/sbin/openvpn
#11 0x0000111ec2f5ffea in pem_password_callback () from
/usr/local/sbin/openvpn
#12 0x0000111ec2f61c7d in pem_password_callback () from
/usr/local/sbin/openvpn
#13 0x0000111ec2f14626 in ?? () from /usr/local/sbin/openvpn
#14 0x0000111ec2f14d23 in ?? () from /usr/local/sbin/openvpn
#15 0x0000111ec2f30b5f in mroute_addr_hash_function () from
/usr/local/sbin/openvpn
#16 0x0000111ec2f3282a in mroute_addr_hash_function () from
/usr/local/sbin/openvpn
#17 0x0000111ec2f2d4cd in mroute_addr_hash_function () from
/usr/local/sbin/openvpn
#18 0x0000111ec2f34b6e in mroute_addr_hash_function () from
/usr/local/sbin/openvpn
#19 0x0000111ec2f09061 in ?? () from /usr/local/sbin/openvpn
#20 0x0000000000000000 in ?? ()
Thanks in advance for any hint. I have the OpenBSD 5.5 -> 5.6 upgrade
ahead of me, but I notice that the OpenVPN package for 5.6 seems to be
the same as on 5.5.
Olivier Debré
