This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1479457 - OpenVPN 2.4.3 fails when configured with keysize 384
OpenVPN 2.4.3 fails when configured with keysize 384
Status: CLOSED UPSTREAM
Product: Fedora EPEL
Classification: Fedora
Component: openvpn (Show other bugs)
el6
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: David Sommerseth
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-08 11:05 EDT by Alexandre Venancio
Modified: 2017-08-08 19:13 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-08 19:13:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexandre Venancio 2017-08-08 11:05:11 EDT
Description of problem:
After upgrade OVPN to v2.4.3 on client and server, when the dameon is started it kills the OpenVPN server.
It appears that the parameter "keysize 384" configured on OVPN clients and Server is causing it, if we change it to "keysize 256" it works.
Below are the logs of Openvpn Server, I had indicated the line with the error.

ovpn_server logs:
Wed Aug 2 21:59:04 2017 10.1.1.172:55208 [ovpn_client01.com] Peer Connection Initiated with [AF_INET]10.1.1.172:55208
Wed Aug 2 21:59:04 2017 ovpn_client01.com/10.1.1.172:55208 OPTIONS IMPORT: reading client specific options from: ccd/ovpn_client01.com
Wed Aug 2 21:59:04 2017 ovpn_client01.com/10.1.1.172:55208 MULTI: Learn: 198.18.121.22 -> ovpn_client01.com/10.1.1.172:55208
Wed Aug 2 21:59:04 2017 ovpn_client01.com/10.1.1.172:55208 MULTI: primary virtual IP for ovpn_client01.com/10.1.1.172:55208: 198.18.121.22
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 PUSH: Received control message: 'PUSH_REQUEST'
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 SENT CONTROL [ovpn_client01.com]: 'PUSH_REPLY,route 198.18.121.1,topology net30,ping 14,ping-restart 120,route 198.18.254.0 255.255.254.0,ifconfig 198.18.121.22 198.18.121.1,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 Data Channel: using negotiated cipher 'AES-256-GCM'

Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 OpenSSL: error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length <<<----------- ERROR ------------------

Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 EVP set key size
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 Exiting due to fatal error  <<<------ ERROR on server killing the daemon
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 /sbin/ip route del 198.18.121.0/24
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 Closing TUN/TAP interface
Wed Aug 2 21:59:05 2017 ovpn_client01.com/10.1.1.172:55208 /sbin/ip addr del dev tun0 local 198.18.121.1 peer 198.18.121.2


OpenVPN packages on the servers:
[@ovpn_server01 ~]# rpm -qa |grep -Ei 'pkcs|vpn|openssl'
openssl-1.0.1e-57.el6.x86_64
pkcs11-helper-1.11-3.el6.x86_64
pyOpenSSL-0.13.1-2.el6.x86_64
openssl098e-0.9.8e-20.el6_7.1.x86_64
openvpn-2.4.3-1.el6.x86_64

[@ovpn_client01.com ~]$ rpm -qa |grep -Ei 'pkcs|vpn|openssl'
pyOpenSSL-0.13.1-2.el6.x86_64
openvpn-2.4.3-1.el6.x86_64
openssl-1.0.1e-57.el6.x86_64
pkcs11-helper-1.11-3.el6.x86_64

Version-Release number of selected component (if applicable):
 openvpn-2.4.3-1.el6.x86_64


How reproducible:
1. Upgrade to openvpn-2.4.3-1.el6.x86_64 configure the OpenVPN
2. Configure openvpn server and client with "keysize 384" on openvpn
#######################################
OpenVPN SERVER Configuration file:
server 198.18.121.0 255.255.255.0
local 10.1.1.166
#server

dev tun
#topology subnet 
#tun-mtu 1000
proto tcp
port 443
status /var/log/openvpn/openvpn_server-443_status.log 60
status-version 1
management 127.0.0.1 9090
log-append /var/log/openvpn/openvpn_server-443.log
verb 3
tls-server
keysize 384
auth SHA256
tls-version-min 1.2
tls-cipher "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"

dh /etc/openvpn/pki/dh2048.pem
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/openvpn_server.crt
key /etc/openvpn/pki/openvpn_server.key  # This file should be kept secret

keepalive 14 120

client-config-dir ccd


#######################################
OpenVPN CLIENT Configuration File:
client
dev tun
proto tcp

# Define OpenVPN Servers here
# remote $OVPN_IP 443
# remote $OVPN2_IP 443
remote 10.1.1.166 443

nobind

ca pki/ca.crt
cert pki/openvpn_client.com.crt
key pki/openvpn_client.com.key

ns-cert-type server
status /var/log/openvpn_client-openvpn-status.log 300
status-version 1
log-append /var/log/openvpn_client-openvpn.log
verb 3
tls-client
keysize 384
auth SHA256
tls-version-min 1.2
tls-cipher "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"

keepalive 14 120
nice -1

Actual results:
After starting the daemon on client, it crash the OVPN daemon on server side.

Expected results:
An openvpn connection enclosure between the client and server with a strong cipher

Additional info:
If the client runs at OVPN v2.3.x and server v2.4.3 it connects fine even with "keysize 384".
Comment 1 David Sommerseth 2017-08-08 19:13:54 EDT
This is being worked on by upstream, and is a known upstream bug ==> CLOSED:UPSTREAM

For more details:
http://community.openvpn.net/openvpn/ticket/924

Note You need to log in before you can comment on or make changes to this bug.