Bug 1741867
Summary: | key derivation for pre-shared key failed when md5 is used after updating openssl to 1.1.1c-2 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Artur <arus> |
Component: | strongswan | Assignee: | Pavel Šimerda <code> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 31 | CC: | avagarwa, code, mikhail.zabaluev |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-27 15:26:25 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Artur
2019-08-16 09:52:27 UTC
This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. Re-opening as it still does not work in Fedora 31. I'd like at least to see the statement, that this is not going to be fixed. Again - exemplary strongswan connection config and the effect in log conn testconn left=192.168.1.65 leftid=192.168.1.65 leftsubnet=192.168.2.0/24 right=192.168.1.99 rightid=192.168.1.99 rightsubnet=192.168.3.0/24 auto=route authby=secret ike=3des-md5-modp1024 esp=3des-md5-modp1024 lifetime=3600s ikelifetime=14400s margintime = 3m dpdaction=restart dpddelay=30s dpdtimeout=120s keyexchange=ikev1 Jan 20 10:58:57 somehost charon[3889]: 10[NET] received packet: from 192.168.1.99[500] to 192.168.1.65[500] (284 bytes) Jan 20 10:58:57 somehost charon[3889]: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ] Jan 20 10:58:57 somehost charon[3889]: 10[IKE] received NAT-T (RFC 3947) vendor ID Jan 20 10:58:57 somehost charon[3889]: 10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Jan 20 10:58:57 somehost charon[3889]: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Jan 20 10:58:57 somehost charon[3889]: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jan 20 10:58:57 somehost charon[3889]: 10[ENC] received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62 Jan 20 10:58:57 somehost charon[3889]: 10[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID Jan 20 10:58:57 somehost charon[3889]: 10[IKE] received DPD vendor ID Jan 20 10:58:57 somehost charon[3889]: 10[IKE] received FRAGMENTATION vendor ID Jan 20 10:58:57 somehost charon[3889]: 10[IKE] received FRAGMENTATION vendor ID Jan 20 10:58:57 somehost charon[3889]: 10[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00 Jan 20 10:58:57 somehost charon[3889]: 10[IKE] 192.168.1.99 is initiating a Main Mode IKE_SA Jan 20 10:58:57 somehost charon[3889]: 10[CFG] selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Jan 20 10:58:57 somehost charon[3889]: 10[ENC] generating ID_PROT response 0 [ SA V V V V ] Jan 20 10:58:57 somehost charon[3889]: 10[NET] sending packet: from 192.168.1.65[500] to 192.168.1.99[500] (156 bytes) Jan 20 10:58:57 somehost charon[3889]: 09[NET] received packet: from 192.168.1.99[500] to 192.168.1.65[500] (220 bytes) Jan 20 10:58:57 somehost charon[3889]: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Jan 20 10:58:57 somehost charon[3889]: 09[IKE] key derivation for pre-shared key failed Jan 20 10:58:57 somehost charon[3889]: 09[ENC] generating INFORMATIONAL_V1 request 3884519587 [ N(INVAL_KE) ] Jan 20 10:58:57 somehost charon[3889]: 09[NET] sending packet: from 192.168.1.65[500] to 192.168.1.99[500] (56 bytes) More detailed log output from IKE, maybe helpful: Jan 20 11:07:13 somehost charon[3889]: 14[NET] received packet: from 192.168.1.99[500] to 192.168.1.65[500] (284 bytes) Jan 20 11:07:13 somehost charon[3889]: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ] Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received NAT-T (RFC 3947) vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[ENC] received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62 Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received DPD vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received FRAGMENTATION vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received FRAGMENTATION vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00 Jan 20 11:07:13 somehost charon[3889]: 14[IKE] 192.168.1.99 is initiating a Main Mode IKE_SA Jan 20 11:07:13 somehost charon[3889]: 14[IKE] IKE_SA (unnamed)[94] state change: CREATED => CONNECTING Jan 20 11:07:13 somehost charon[3889]: 14[CFG] selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Jan 20 11:07:13 somehost charon[3889]: 14[IKE] sending XAuth vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] sending DPD vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] sending FRAGMENTATION vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] sending NAT-T (RFC 3947) vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[ENC] generating ID_PROT response 0 [ SA V V V V ] Jan 20 11:07:13 somehost charon[3889]: 14[NET] sending packet: from 192.168.1.65[500] to 192.168.1.99[500] (156 bytes) Jan 20 11:07:13 somehost charon[3889]: 15[NET] received packet: from 192.168.1.99[500] to 192.168.1.65[500] (220 bytes) Jan 20 11:07:13 somehost charon[Jan 20 11:07:13 somehost charon[3889]: 14[NET] received packet: from 192.168.1.99[500] to 192.168.1.65[500] (284 bytes) Jan 20 11:07:13 somehost charon[3889]: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ] Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received NAT-T (RFC 3947) vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[ENC] received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62 Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received DPD vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received FRAGMENTATION vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] received FRAGMENTATION vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00 Jan 20 11:07:13 somehost charon[3889]: 14[IKE] 192.168.1.99 is initiating a Main Mode IKE_SA Jan 20 11:07:13 somehost charon[3889]: 14[IKE] IKE_SA (unnamed)[94] state change: CREATED => CONNECTING Jan 20 11:07:13 somehost charon[3889]: 14[CFG] selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Jan 20 11:07:13 somehost charon[3889]: 14[IKE] sending XAuth vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] sending DPD vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] sending FRAGMENTATION vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[IKE] sending NAT-T (RFC 3947) vendor ID Jan 20 11:07:13 somehost charon[3889]: 14[ENC] generating ID_PROT response 0 [ SA V V V V ] Jan 20 11:07:13 somehost charon[3889]: 14[NET] sending packet: from 192.168.1.65[500] to 192.168.1.99[500] (156 bytes) Jan 20 11:07:13 somehost charon[3889]: 15[NET] received packet: from 192.168.1.99[500] to 192.168.1.65[500] (220 bytes) Jan 20 11:07:13 somehost charon[3889]: 15[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Jan 20 11:07:13 somehost charon[3889]: 15[IKE] natd_chunk => 22 bytes @ 0x7ff683a16b50 Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 0: B4 06 39 50 C4 7A 63 BF C6 C0 7D 80 8B CD 2B 6F ..9P.zc...}...+o Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 16: C0 A8 01 41 01 F4 ...A.. Jan 20 11:07:13 somehost charon[3889]: 15[IKE] natd_hash => 16 bytes @ 0x7ff644004dc0 Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 0: AC 22 BD 73 84 F1 04 D9 83 91 78 63 66 5C CC E1 .".s......xcf\.. Jan 20 11:07:13 somehost charon[3889]: 15[IKE] natd_chunk => 22 bytes @ 0x7ff683a16b50 Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 0: B4 06 39 50 C4 7A 63 BF C6 C0 7D 80 8B CD 2B 6F ..9P.zc...}...+o Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 16: C0 A8 01 63 01 F4 ...c.. Jan 20 11:07:13 somehost charon[3889]: 15[IKE] natd_hash => 16 bytes @ 0x7ff644008a50 Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 0: 5A 34 CA 5B 6C 66 B1 22 74 13 AA D9 E6 B4 A4 71 Z4.[lf."t......q Jan 20 11:07:13 somehost charon[3889]: 15[IKE] precalculated src_hash => 16 bytes @ 0x7ff644008a50 Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 0: 5A 34 CA 5B 6C 66 B1 22 74 13 AA D9 E6 B4 A4 71 Z4.[lf."t......q Jan 20 11:07:13 somehost charon[3889]: 15[IKE] precalculated dst_hash => 16 bytes @ 0x7ff644004dc0 Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 0: AC 22 BD 73 84 F1 04 D9 83 91 78 63 66 5C CC E1 .".s......xcf\.. Jan 20 11:07:13 somehost charon[3889]: 15[IKE] received dst_hash => 16 bytes @ 0x7ff644005f50 Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 0: AC 22 BD 73 84 F1 04 D9 83 91 78 63 66 5C CC E1 .".s......xcf\.. Jan 20 11:07:13 somehost charon[3889]: 15[IKE] received src_hash => 16 bytes @ 0x7ff644008b10 Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 0: 5A 34 CA 5B 6C 66 B1 22 74 13 AA D9 E6 B4 A4 71 Z4.[lf."t......q Jan 20 11:07:13 somehost charon[3889]: 15[IKE] shared Diffie Hellman secret => 128 bytes @ 0x7ff644003ae0 Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 0: 45 CE 54 9D C8 6D 5E D5 86 13 55 92 67 28 9D 32 E.T..m^...U.g(.2 Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 16: 14 80 D4 42 0E 54 FE 2B 67 6D 0A 11 8F 23 10 31 ...B.T.+gm...#.1 Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 32: D2 70 75 64 9D C9 4F 97 81 93 B5 81 F2 24 09 4B .pud..O......$.K Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 48: 19 93 5B 58 91 4E 55 F8 A6 7F 6F 3B 77 F1 2F F5 ..[X.NU...o;w./. Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 64: 05 87 ED 08 47 6D 1E 19 A7 62 31 BD 58 AE 3A B8 ....Gm...b1.X.:. Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 80: BD 4E D7 B6 32 72 1F 33 ED D4 89 B2 4B 3A BF C6 .N..2r.3....K:.. Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 96: D7 1B 5B F2 70 D3 95 B4 2C E2 43 DF D5 19 17 8A ..[.p...,.C..... Jan 20 11:07:13 somehost charon[3889]: 15[IKE] 112: 04 D5 59 93 A5 A8 17 39 38 8A 8A 60 42 04 0C 85 ..Y....98..`B... Jan 20 11:07:13 somehost charon[3889]: 15[IKE] key derivation for pre-shared key failed Jan 20 11:07:13 somehost charon[3889]: 15[IKE] queueing INFORMATIONAL task Jan 20 11:07:13 somehost charon[3889]: 15[IKE] activating new tasks Jan 20 11:07:13 somehost charon[3889]: 15[IKE] activating INFORMATIONAL task Jan 20 11:07:13 somehost charon[3889]: 15[ENC] generating INFORMATIONAL_V1 request 4075161683 [ N(INVAL_KE) ] Jan 20 11:07:13 somehost charon[3889]: 15[NET] sending packet: from 192.168.1.65[500] to 192.168.1.99[500] (56 bytes) Jan 20 11:07:13 somehost charon[3889]: 15[IKE] IKE_SA (unnamed)[94] state change: CONNECTING => DESTROYING It looks like it will be resolved in strongswan 5.8.2. I will check again and close this bug when 5.8.2 is pushed to the official dnf repository. Works with strongswan 5.8.2. Closing this. |